Back to All Scenarios
PASSEDinfrastructure / spf_dkim_dmarc_misconfig
SPF/DKIM/DMARC Misconfiguration — Emails Rejected
After a DNS migration, SPF, DKIM, and DMARC records are not properly recreated. Outbound emails are rejected by major providers (Gmail, Microsoft) due to authentication failures, and the company's email reputation score drops rapidly.
Pattern
SERVER_ERROR
Severity
CRITICAL
Confidence
92%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | SERVER_ERROR | SERVER_ERROR | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 4 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Domain migrated to new DNS provider. SPF record missing the primary mail server IP. DKIM key record truncated during migration. DMARC policy set to p=reject. Gmail and Microsoft rejecting 100% of outbound email. 500 users affected.
Injected Error Messages (1)
Outbound email authentication failing — SPF check failing: sender IP not in SPF record after DNS migration, DKIM signature verification failing: public key record truncated, DMARC policy p=reject causing all emails to be dropped by recipients, Gmail returning '550 SPF: domain does not designate sender as permitted', Microsoft 365 rejecting with 'DKIM signature validation failed', 100% of outbound email being rejected, 500 users unable to send external email
Neural Engine Root Cause Analysis
The email authentication failure is directly caused by a DNS migration that broke critical email authentication records. The sender IP is no longer included in the SPF record, the DKIM public key record appears truncated (likely DNS propagation or configuration issue), and the strict DMARC policy (p=reject) is causing all emails to be rejected when SPF and DKIM checks fail. This is a DNS configuration issue affecting all outbound email authentication mechanisms simultaneously.
Remediation Plan
1. Immediately verify DNS propagation status for the domain's email authentication records (SPF, DKIM, DMARC). 2. Check the current SPF record and add the missing sender IP address to the authorized sender list. 3. Investigate and fix the truncated DKIM public key record - likely needs to be split into multiple TXT records or have syntax corrected. 4. Consider temporarily changing DMARC policy from p=reject to p=quarantine to reduce impact while fixing SPF/DKIM. 5. Test email authentication using external tools after each DNS change. 6. Monitor DNS propagation across multiple resolvers before declaring resolution.
Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmnck24tb068oobqelgpjygtw