Sometimes a message gets rejected, deferred, or heavily spam-foldered and the first assumption is "SPF broke" or "DMARC is failing again."
That assumption is often wrong.
Large receivers increasingly treat message formatting defects as sender-trust problems because badly formed mail is common in abusive traffic, broken bulk tooling, and spoofing attempts. So the visible symptom can feel like an authentication issue even when SPF, DKIM, and DMARC are technically fine.
Google's Email sender guidelines make this explicit: messages must be formatted according to RFC 5322, include a valid Message-ID, avoid duplicate single-instance headers, and use only one address in From: for Gmail delivery.
Receivers do not evaluate sender trust in isolated boxes.
They look at the whole message shape:
From: identityIf the headers are malformed, the message can look suspicious even when the cryptographic and DNS pieces pass.
That is why teams sometimes see this pattern:
At that point the next question should not be "how do we force DMARC to pass harder?"
It should be "what does the raw message actually look like?"
Authentication answers who is allowed to send and whether a domain-aligned signature or SPF identity is present.
RFC 5322 answers whether the message itself is structurally well formed.
Those are different layers.
A receiver can absolutely decide:
That is not contradictory. It is normal receiver behavior.
If alignment is the confusing part, DMARC identifier alignment deep dive and Return-Path vs From: practical implications cover the auth side in more detail. This post is about the separate formatting layer that often gets overlooked.
This is one of the biggest ones.
Google explicitly says single-instance headers should appear only once. That includes common fields such as:
From:To:Subject:Date:RFC 5322 also defines the message model in a way that expects only one From: field and one origination Date: field.
What this looks like in practice:
Subject:Subject:From:The receiving side may then treat the message as ambiguous or deceptive, even if DKIM still verifies.
From:This is a subtle one because bare RFC 5322 allows a single From: field to contain more than one mailbox, as long as Sender: is used when required.
Operationally, however, Gmail's sender guidance is stricter: From: should include only one email address.
So a message can be legal enough for some parsers, yet still trigger deliverability problems at major receivers.
If a product or marketing platform is building From: values dynamically, inspect the final raw header, not just the app configuration screen.
Message-IDGoogle specifically calls out the need for a valid Message-ID.
This tends to break in homegrown mailers, old appliances, and systems that assemble messages manually. A missing or malformed Message-ID does not directly break DMARC, but it absolutely makes the message look less trustworthy and less standards-conforming.
From: syntaxCommon examples:
When this happens, different receivers can parse the same header differently. That can create symptoms that look like identity mismatch even when the intended domain is obvious to the sender.
RFC 5322 allows header folding, but only in specific ways. It also imposes a hard line-length limit of 998 characters excluding CRLF, with a much shorter recommended display-friendly limit.
Problems appear when software:
Malformed folding can make the next header look like part of the previous one, or make the field parse differently than intended.
Some systems try to represent forwarding or "send on behalf of" behavior by injecting extra normal originator headers instead of using proper resent fields or a sane single originator model.
That often produces duplicate From: or Date: fields, which then gets interpreted as suspicious message construction.
Start with the delivered sample or the rejected raw message and separate the evidence into two buckets.
Check:
Authentication-ResultsIf those all pass, do not stop there. Passing auth does not clear the message structurally.
For a refresher on reading those headers, DMARC troubleshooting with real headers is the right companion post.
Check the raw header block for:
From:, Date:, Subject:, or To:From:Message-IDThis second bucket is where teams often find the real fault.
A DMARC pass does not prove the message is RFC 5322 clean. It only proves that aligned SPF or DKIM evidence was available.
Do not debug from screenshots, ESP UI summaries, or copied header fragments.
You need the raw source because header folding, duplicate fields, and malformed address syntax are easy to miss once a tool "normalizes" the display.
Look at the actual message instance, not a different test email.
It is very common for one stream to authenticate cleanly while another stream from the same product has a formatting bug or different header-generation path.
Do not assume your mail library prevented duplicates.
Specifically count these in the raw source:
From:Date:Subject:To:Message-ID:If you see two copies of something that should be singular, that is already a strong suspect.
From: field exactly as sentVerify all of this:
From: field existsIf the visible domain is also relevant to DMARC, verify the aligned auth domain matches that same identity story.
Message-ID generationMake sure every message gets one, and only one, properly formed Message-ID.
If different layers can each generate one, decide which layer owns it and remove the duplicate behavior.
This is a common root cause.
The application might build a clean message, but then:
If possible, compare:
When the cause is unclear, send a minimal sample:
From:Date:Message-IDIf that delivers while the production variant fails, add complexity back one layer at a time.
That is usually much faster than guessing.
In other words, the problem is often not DNS at all. It is message assembly.
Prioritize fixes in this order:
From: to one valid mailboxMessage-IDOnly after that should you revisit SPF, DKIM, or DMARC assumptions.
Otherwise it is easy to burn hours "fixing" authentication that was never the real blocker.
This is the part that frustrates operators, but it makes sense.
Malformed mail is disproportionately associated with:
So even when a receiver can technically parse the message, malformed structure is still a strong negative quality signal.
Microsoft and Google both evaluate more than raw pass/fail auth bits when deciding how trustworthy a message is. Microsoft's Email authentication guidance describes implicit and composite authentication, which is a useful reminder that a message can clear SPF or DKIM and still be treated like risky sender behavior.
If a rejection or spam-placement event looks like authentication trouble but the auth results are clean, inspect the message as a formatting problem next.
Check for duplicate headers, invalid From: construction, missing Message-ID, and broken header folding before changing DNS.
In many real incidents, the message was not being rejected because the domain failed to authenticate. It was being rejected because the message looked malformed enough to behave like suspicious mail.