gmailemail-errorsspfdkimdmarctroubleshooting

Solved: How to Fix Gmail Error 550 5.7.26 'This mail is unauthenticated'

Updated Jan 2026

DmarcBeacon Team6 min read

Your Emails Are Being Blocked—Here's the Fix

If you're seeing this error, Gmail is actively rejecting your emails:

550-5.7.26 This mail is unauthenticated, which poses a security risk to the 
sender and Gmail users, and has been blocked. The sender must authenticate 
with at least one of SPF or DKIM.

Translation: Google cannot verify you are the legitimate sender of this email. Until you prove your identity via DNS records, your messages will be blocked.

Don't panic. This is fixable. Let's get your emails delivered.

Why This Is Happening

Gmail requires authentication before accepting emails. Without it, anyone could send emails pretending to be you.

To prove you're legitimate, you need one or more of these DNS records:

RecordPurpose
SPFDeclares which servers can send email for your domain
DKIMAdds a cryptographic signature to prove the email wasn't tampered with
DMARCTies SPF and DKIM together with a policy

If none of these are set up—or if they're misconfigured—Gmail blocks your mail.

Fix 1: SPF (The Usual Suspect)

SPF is the most common cause of this error. It's also the easiest to fix.

Check If You Have SPF

Run this command in your terminal:

dig TXT yourdomain.com +short

Or use DmarcBeacon for an instant scan.

If you see no SPF record, that's your problem.

Add the SPF Record

Go to your DNS provider and add a TXT record:

FieldValue
TypeTXT
Name@
Valuev=spf1 include:_spf.google.com ~all
TTL1 Hour

Important: Replace include:_spf.google.com with your actual email provider. See the table below.

Common SPF includes:

ProviderInclude Statement
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
SendGridinclude:sendgrid.net
Mailchimpinclude:servers.mcsv.net
Amazon SESinclude:amazonses.com
HubSpotinclude:email.hubspot.com
Salesforceinclude:_spf.salesforce.com

If you use multiple providers, combine them:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Warning: SPF has a 10 DNS lookup limit. If you exceed it, SPF fails entirely.

Fix 2: DKIM (The Cryptographic Proof)

SPF alone isn't always enough—especially for forwarded emails.

When an email is forwarded, the sending IP changes. SPF checks fail because the new server isn't in your SPF record. DKIM survives forwarding because it's attached to the email itself.

Set Up DKIM

DKIM requires two things:

  • 1.Enable DKIM signing in your email provider's settings
  • 2.Add the DKIM public key to your DNS
Google Workspace:
  • 1.Admin Console → Apps → Gmail → Authenticate email
  • 2.Select your domain → Generate new record
  • 3.Add the TXT record to your DNS
SendGrid:
  • 1.Settings → Sender Authentication → Authenticate Your Domain
  • 2.Follow the wizard to get CNAME records
  • 3.Add them to your DNS
The record will look like:

FieldValue
TypeTXT
Namegoogle._domainkey (or your selector)
Valuev=DKIM1; k=rsa; p=MIIBIjANBgkq...

Fix 3: DMARC Alignment

DMARC connects SPF and DKIM and tells Gmail what to do when authentication fails.

If you have SPF and DKIM but still see this error, your alignment might be wrong.

What Is Alignment?

DMARC checks that the domain in the email's "From" header matches:

  • The domain validated by SPF, OR
  • The domain validated by DKIM
If neither matches, DMARC fails—even if SPF and DKIM both pass.

Add a DMARC Record

FieldValue
TypeTXT
Name_dmarc
Valuev=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none (monitoring mode) until you're confident everything is working.

The "Forwarding" Trap: CRMs and Third-Party Senders

This is the #1 hidden cause of 550 5.7.26 errors.

If you're sending email through:

  • HubSpot
  • Salesforce
  • Mailchimp
  • Intercom
  • Any CRM or marketing platform
...and you haven't authenticated that platform in your DNS, this error is guaranteed.

The Fix

Every third-party sender must be:

  • 1.Added to your SPF record (their include statement)
  • 2.Configured for DKIM (they provide the key, you add it to DNS)
Check your platform's documentation for their specific SPF include and DKIM setup instructions.

How to Verify Your Fix

Step 1: Wait for DNS Propagation

DNS changes can take 15 minutes to 1 hour to propagate globally.

Step 2: Scan Your Domain

Stop guessing if your fix worked. Run a free instant scan with DmarcBeacon to confirm Google sees your new records.

Step 3: Send a Test Email

Send an email to a Gmail account. Open it and check the headers:

  • 1.Open the email in Gmail
  • 2.Click the three dots (⋮) → Show original
  • 3.Look for:
SPF: PASS
DKIM: PASS
DMARC: PASS

If all three show PASS, you're fixed.

Quick Diagnostic Checklist

CheckHow to Verify
SPF existsdig TXT yourdomain.com +short should show v=spf1...
SPF includes your senderAll services that send email must be in the SPF record
DKIM is enabledCheck your email provider's authentication settings
DKIM DNS record existsdig TXT selector._domainkey.yourdomain.com +short
DMARC existsdig TXT _dmarc.yourdomain.com +short should show v=DMARC1...
No SPF lookup limitMust have ≤10 DNS lookups in SPF

Still Seeing the Error?

If you've added all records and still get blocked:

  • 1.Check for typos in your DNS records (extra spaces, missing semicolons)
  • 2.Verify propagation is complete (can take up to 48 hours in rare cases)
  • 3.Check alignment — the From domain must match SPF or DKIM domain
  • 4.Look for multiple SPF records — you can only have ONE SPF record per domain

Get Back to Sending

The 550 5.7.26 error is frustrating, but it's telling you exactly what's wrong: Gmail can't verify you're legitimate.

Fix your SPF, set up DKIM, and add DMARC. Your emails will flow again.

Scan your domain now with DmarcBeacon to confirm your authentication is working before your next send.

Is your email fixed?

Stop guessing. Confirm Gmail sees your new authentication records.

Scan Now