Gmail bounced your message with 550-5.7.26 this mail is unauthenticated. Here is what it means and exactly how to fix it — in plain English.
Under Google's 2024 bulk-sender rules, mail arriving at Gmail must be authenticated. If a message fails SPF and DKIM and has no aligned DMARC pass, Gmail rejects it and returns the 550-5.7.26 code with the note "this mail is unauthenticated." Google hardened this enforcement in November 2025, so messages that used to slip through are now bounced outright.
In short: your domain isn't proving that it authorized the mail. You fix it by publishing three DNS records — SPF, DKIM, and DMARC — and making sure they line up with the From: address your recipients see.
Check (or add) your SPF record. SPF is a single TXT record on your root domain that lists who may send for you. If you send through Google Workspace, it looks like this:
Type: TXT
Host: @ (yourdomain.com)
Value: v=spf1 include:_spf.google.com ~all
Replace or add the include: for every provider you actually send through (your marketing platform, invoicing tool, and so on). You may have only one SPF record.
Enable DKIM at your sending provider. DKIM cryptographically signs your mail. Turn it on in your provider's admin panel — for Google Workspace this is Apps > Google Workspace > Gmail > Authenticate email. The provider gives you a CNAME or TXT record to publish; add it to DNS and then click "Start authentication."
Add a DMARC record. DMARC ties SPF and DKIM to your visible domain and tells Gmail what to do with failures. Add this TXT record:
Type: TXT
Host: _dmarc (_dmarc.yourdomain.com)
Value: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
The rua address receives the daily aggregate reports that show you which sources pass and fail.
After DNS propagates (allow up to an hour), confirm the records exist. On macOS or Linux use dig:
dig +short TXT yourdomain.com
dig +short TXT _dmarc.yourdomain.com
On Windows use nslookup:
nslookup -type=TXT yourdomain.com
nslookup -type=TXT _dmarc.yourdomain.com
You should see your v=spf1 value on the root domain and your v=DMARC1 value on _dmarc. To confirm DKIM, send yourself a test message and check that authentication passes in the received headers.
A DMARC policy has three levels: p=none (monitor only), p=quarantine (send failures to spam), and p=reject (block failures). Start at p=none. It stops the unauthenticated bounces from blocking legitimate senders while you read your aggregate reports and confirm every real sending source passes. Once your reports show clean, aligned traffic, move to p=quarantine, then to p=reject for full protection against spoofing.
v=spf1 TXT record makes SPF fail. Merge every provider into a single record.include/lookup mechanisms. Exceeding that causes a permerror and SPF fails.news.yourdomain.com needs its own SPF and DKIM setup, and DMARC alignment for that subdomain — the root record alone won't cover it.Not sure your records are right? PlainDMARC reads your DMARC aggregate reports and sends you a plain-English weekly verdict — what passed, what failed, and what to change — so you catch problems before Gmail bounces your mail.
Get a plain-English weekly DMARC verdict — join the PlainDMARC waitlist