Authentication-Results Header
The Authentication-Results header records SPF, DKIM, and DMARC outcomes for each email. Learn how it works and how DMARCeye uses it for visibility.
What is the Authentication-Results Header?
The Authentication-Results header is an automatically added field in email messages that shows the outcome of authentication checks performed by the receiving mail server. It records the results of tests like SPF, DKIM, and DMARC, allowing administrators and security tools to verify whether a message passed or failed each layer of email authentication.
An example of a typical Authentication-Results header looks like this:
Authentication-Results: mx.google.com; spf=pass (google.com: domain of sender@example.com designates 192.0.2.5 as permitted sender) smtp.mailfrom=sender@example.com;
dkim=pass header.d=example.com;
dmarc=pass (p=reject sp=reject dis=none) header.from=example.com
This information is primarily used by mail systems, but it’s also critical for diagnosing delivery problems, analyzing DMARC reports, and confirming that legitimate mail sources are configured correctly.
How Authentication-Results Works
When a receiving mail server (MTA) accepts a message, it immediately runs several authentication checks:
- SPF (Sender Policy Framework): Confirms whether the sending IP address is authorized to send mail for the domain in the “Envelope From” address.
- DKIM (DomainKeys Identified Mail): Verifies that the email’s digital signature is valid and matches the public key in DNS.
- DMARC: Checks whether the domain in the “From” header aligns with the SPF and DKIM results.
After completing these checks, the mail server writes a summary of the results into the Authentication-Results header. This header travels with the message so that downstream systems (like spam filters, security gateways, and end-user clients) can make informed decisions about message trustworthiness.
Each receiving domain (for example, Gmail, Outlook, or Yahoo) adds its own Authentication-Results header, so a message may accumulate multiple headers as it passes through intermediate servers.
The Role of Authentication-Results in Email Security
The Authentication-Results header is a vital transparency mechanism in email delivery. It provides a clear audit trail for how each receiving system evaluated the message.
Administrators rely on it to:
- Troubleshoot failed SPF, DKIM, or DMARC checks.
- Confirm which mail servers are passing authentication.
- Investigate spoofing, phishing, or misconfiguration issues.
Because it’s automatically generated and cryptographically linked to message integrity, this header is one of the most reliable sources of truth about how an email was authenticated.
Authentication-Results and DMARCeye
DMARCeye collects and interprets authentication results from DMARC aggregate reports, which are built from these same underlying Authentication-Results headers. By consolidating this data across thousands of messages, DMARCeye helps you:
- See which sources are passing or failing SPF and DKIM.
- Identify unauthorized senders using your domain.
- Visualize the alignment between authentication outcomes and your DMARC policy.
In short, DMARCeye turns the technical data in Authentication-Results headers into actionable insights, making it easier to strengthen authentication and protect your domain reputation.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.