Fix Gmail Error 550 5.7.26: Email Rejected Due to DMARC Policy

Gmail is rejecting your email with error 550 5.7.26 because it fails DMARC authentication. Learn exactly why this happens and how to fix it.

6 min readerrorsThomas Johnson

What This Error Means

Gmail error 550 5.7.26 is a permanent rejection. Gmail rejected the message due to DMARC failure and the sending domain's DMARC policy. A p=reject policy typically maps to SMTP rejection; p=quarantine usually maps to spam-folder handling, though Gmail's exact disposition can vary. The fix requires correcting SPF, DKIM, or DMARC alignment for the failing sending source.

The 550 5.7.26 status code follows the enhanced mail status code format defined in RFC 5321. The full error message is typically:

550-5.7.26 This mail has been blocked because the sender is unauthenticated.
Gmail requires all senders to authenticate with either SPF or DKIM.

or:

550-5.7.26 Unauthenticated email from [domain] is not accepted due to
domain's DMARC policy. Please contact the administrator of [domain].

Gmail is telling you that:

  1. The email failed DMARC because authentication and/or alignment requirements were not met
  2. The sending domain has a DMARC policy that instructs Gmail to block unauthenticated messages

This is a permanent rejection — Gmail will not accept this message until the authentication issues are resolved.

Why Gmail Is Stricter Now

Since February 2024, Gmail has progressively tightened authentication requirements. As of 2026, Gmail requires:

  • SPF or DKIM authentication for all senders
  • DMARC alignment for domains with published DMARC policies
  • Valid authentication even for low-volume senders

These requirements are detailed in the Bulk Sender Requirements guide. The 5.7.26 error specifically occurs when the sender's domain has a DMARC policy of p=quarantine or p=reject and the email fails DMARC authentication.

Step-by-Step Diagnosis

Step 1: Check Your DMARC Policy

Use the mxio DMARC Checker on the sending domain. Look at:

  • Policy (p=): Is it quarantine or reject?
  • Alignment mode: Is it relaxed (default) or strict?
  • Subdomain policy (sp=): Does it affect subdomains differently?

If you are the domain administrator and you recently moved to p=reject, this error means some of your legitimate email sources are not properly authenticated yet. Consider temporarily stepping back to p=quarantine while you fix the remaining sources.

Step 2: Check SPF

Use the mxio SPF Checker on the sending domain.

For this error to occur, SPF (RFC 7208) may have failed, or it may have passed but without alignment to the From: domain. Common reasons:

  • The sending server's IP is not in the SPF record
  • The SPF record has too many lookups (PermError)
  • There are multiple SPF records
  • The SPF Return-Path domain does not align with the From: domain (for DMARC purposes)

Step 3: Check DKIM

Use the mxio DKIM Checker on the sending domain with the appropriate selector.

For this error to occur, DKIM (RFC 6376) must also have failed or not aligned. Common reasons:

  • DKIM is not configured on the sending mail server
  • The DKIM public key is not published in DNS
  • The DKIM signature's d= domain does not match the From: domain — see DMARC alignment failure
  • The message body was modified after signing (forwarding, mailing lists)

Step 4: Analyze the Bounce Headers

If you have the full bounce message, paste the headers into the mxio Header Analyzer. Look for the Authentication-Results header (defined in RFC 8601), which shows exactly which checks passed and failed:

Authentication-Results: mx.google.com;
    dkim=fail header.d=example.com;
    spf=softfail (google.com: domain of bounce@thirdparty.com does not designate 1.2.3.4 as permitted sender) smtp.mailfrom=bounce@thirdparty.com;
    dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=example.com

This example shows:

  • DKIM failed
  • SPF returned softfail for thirdparty.com — the sending IP was not fully authorized — and the envelope domain does not align with the From: domain example.com
  • DMARC failed, and Gmail applied the REJECT disposition

Common Scenarios and Fixes

Scenario 1: Third-Party Service Sending on Your Behalf

Problem: Your marketing platform (Mailchimp, HubSpot, etc.) sends email with your From: address, but SPF authenticates as the platform's domain and DKIM signs with the platform's domain.

Fix:

  1. Configure DKIM signing with your domain in the platform's settings (usually involves adding CNAME records to your DNS)
  2. Add the platform's include: to your SPF record
  3. Verify with the mxio DKIM Checker that the key is published correctly

Scenario 2: Email Forwarding Breaks Authentication

Problem: A recipient has email forwarding set up (e.g., old@alumni.edu to user@gmail.com). SPF breaks because the forwarding server is not in your SPF record.

Fix: This is a systemic issue with email forwarding. Your best mitigation:

  1. Ensure DKIM is always configured (it survives forwarding if the body is not modified)
  2. Consider ARC (RFC 8617, Authenticated Received Chain) support on your mail server
  3. You cannot fix the forwarding server's behavior — the forwarding organization needs to implement SRS or ARC

Scenario 3: You Recently Enabled p=reject

Problem: You moved your DMARC policy to p=reject without fully auditing all email sources. See the DMARC deployment guide for the recommended progression path.

Fix:

  1. Step back to p=quarantine or p=none temporarily
  2. Analyze DMARC aggregate reports to identify all unauthorized/misconfigured sources
  3. Fix each source's SPF and DKIM configuration
  4. Monitor for 2-4 weeks until all legitimate sources pass
  5. Re-enable p=reject

Scenario 4: Subdomain Sending Without Authentication

Problem: Your application sends email from notifications@app.yourdomain.com but that subdomain has no SPF/DKIM setup.

Fix:

  1. Publish an SPF record for the subdomain
  2. Configure DKIM for the subdomain
  3. Optionally publish a DMARC record for the subdomain (it inherits the parent by default with relaxed alignment)

Prevention and Ongoing Monitoring

  • Configure DKIM for every sending source — DKIM alignment is more reliable than SPF for DMARC because it survives forwarding
  • Add SPF includes for all services before they start sending
  • Monitor DMARC reports to catch new unauthorized sources early
  • Test before enforcing — Stay on p=none until reports confirm all sources pass
  • Follow the bulk sender requirements for any high-volume sending

Set up domain health monitoring to catch DMARC authentication failures the moment they happen. mxio monitors your DMARC configuration continuously — you know the moment alignment breaks, before it causes 5.7.26 rejections.

Was this article helpful?

Related Articles

Why Is DMARC Failing? Causes and How to Fix Iterrors

DMARC authentication is failing for your domain. Understand the most common causes — alignment issues, missing records, third-party senders — and fix them.

DMARC Alignment Failure: Why SPF/DKIM Pass But DMARC Failserrors

SPF and DKIM both pass but DMARC still fails? The problem is alignment. Learn what DMARC alignment means and how to fix relaxed vs strict alignment issues.

Why Are My Emails Going to Spam? How to Fix Iterrors

Emails landing in spam? Diagnose the most common causes — missing authentication, blacklisted IPs, content issues — and fix them step by step.

Google, Yahoo, and Microsoft Bulk Sender Requirements (2026)guides

Complete guide to bulk sender authentication requirements from Gmail, Yahoo Mail, and Microsoft. SPF, DKIM, DMARC, unsubscribe headers, and spam rate thresholds.

Email Bounce Error Codes Explained: 550, 554, 421 and Moreguides

Complete reference for SMTP bounce codes. Understand what 550 5.7.1, 554 5.7.1, 421 4.7.0 and other email error codes mean and how to fix them.