diff --git a/insights/sender/high_trust_auth_fail.yml b/insights/sender/high_trust_auth_fail.yml
new file mode 100644
index 00000000000..f1991695e54
--- /dev/null
+++ b/insights/sender/high_trust_auth_fail.yml
@@ -0,0 +1,24 @@
+name: "High trust sender domain failed authentication"
+type: "query"
+source: |
+  filter([sender.email.email],
+       sender.email.domain.root_domain in $high_trust_sender_root_domains
+       and (
+         (
+           any(distinct(headers.hops, .authentication_results.dmarc is not null),
+               strings.ilike(.authentication_results.dmarc, "*fail")
+           )
+         )
+         or (
+           any(distinct(headers.hops, .authentication_results.spf is not null),
+               strings.ilike(.authentication_results.spf, "*fail")
+           )
+         )
+         or (
+           any(distinct(headers.hops, .authentication_results.dkim is not null),
+               strings.ilike(.authentication_results.dkim, "*fail")
+           )
+         )
+       )
+  )
+severity: "high"