DMARC alignment failure — SPF and DKIM pass, but DMARC fails

What is DMARC alignment?

DMARC sits on top of SPF and DKIM. It doesn't replace them — it adds one critical check: does the domain that passed authentication match the domain your recipients see in the From: field?

That match is called alignment, and it's the reason DMARC exists. Without it, a spammer could pass SPF using their own domain in the envelope while putting your domain in the visible From: header. SPF would pass. DKIM could pass for the spammer's domain. But the recipient sees your brand in the From: line. DMARC closes that gap.

How alignment works for SPF

SPF authenticates the domain in the Return-Path (the envelope sender). For DMARC, that domain must align with the domain in the From: header.

How alignment works for DKIM

DKIM authenticates the domain in the d= tag of the signature. For DMARC, that domain must align with the domain in the From: header.

DMARC requires at least one — SPF or DKIM — to both pass and align. If neither aligns, DMARC fails, even if both passed their individual checks.

DMARCit shows alignment status for every sender — so you can see at a glance which services pass authentication but fail alignment.

Why does this happen?

Cause 1: The sending service uses its own domain in the Return-Path

This is the most common cause. When a service like Mailchimp, HubSpot, Salesforce, or Zendesk sends email on your behalf, it typically uses its own domain in the Return-Path envelope sender. SPF passes for the service's domain — but your From: address is you@yourdomain.com. The domains don't match. SPF alignment fails.

Return-Path: bounce@mcsignup.com

From: you@yourdomain.com

SPF passes for mcsignup.com. But mcsignup.com doesn't align with yourdomain.com. SPF alignment fails.

Cause 2: DKIM is signed with the platform's default domain

Many services sign DKIM by default, but using their own domain — not yours. The DKIM signature is valid, but the d= value is the platform's domain, not yours.

DKIM-Signature: d=sendgrid.net

From: you@yourdomain.com

DKIM passes for sendgrid.net. But sendgrid.net doesn't align with yourdomain.com. DKIM alignment fails.

When both of these are true simultaneously — SPF passes for the platform's envelope domain, DKIM passes for the platform's signing domain, and neither matches your From: domain — you get the pass-pass-fail pattern.

Cause 3: Subdomain mismatch under strict alignment

DMARC alignment has two modes:

• Relaxed (default): the organizational domains just need to match. mail.yourdomain.com aligns with yourdomain.com.
• Strict: the full domains must match exactly. mail.yourdomain.com does not align with yourdomain.com.

If your DMARC record uses strict alignment (aspf=s or adkim=s), a sender using a subdomain of your domain will fail alignment even though the organizational domain matches.

Cause 4: Platform-specific caveat — Google Workspace domain aliases

For Google Workspace alias domains, SPF alignment can fail because the Return-Path may use the primary domain rather than the alias domain in the visible From: address. In those setups, DKIM alignment is usually the practical path to DMARC pass.

How to fix DMARC alignment failure

Step 1: Identify which sender is failing alignment

Check the Authentication-Results header in the bounced or spam-filtered message. You're looking for spf=pass with a domain that doesn't match your From: domain,dkim=pass with a header.d= domain that doesn't match your From: domain, and dmarc=fail. If you have DMARC aggregate reports, alignment failures show up per sending source.

Step 2: Fix DKIM alignment first

DKIM alignment is the most reliable fix because it survives forwarding (SPF alignment breaks when mail is forwarded). Configure the sending service to sign DKIM with your domain (or a subdomain of your domain under relaxed alignment). This is usually done by adding 1-2 CNAME or TXT records in your DNS so the service can publish its signing key under your domain's namespace. After setup, the DKIM-Signature d= value should be your domain or a subdomain of it — not the platform's domain.

Step 3: Fix SPF alignment if possible

If the platform supports a custom Return-Path (also called custom bounce domain or custom envelope sender), configure it to use a subdomain of your domain, such as bounce.yourdomain.com. Under relaxed alignment, that aligns with yourdomain.com in the From: header. Not all platforms support this. If yours doesn't, DKIM alignment alone is sufficient for DMARC to pass.

Step 4: Don't use strict alignment unless you have a specific reason

If your DMARC record includes aspf=s or adkim=s, consider switching to relaxed mode (aspf=r, adkim=r — or remove the tags, since relaxed is the default).

Step 5: Confirm the fix in your DMARC reports

After making changes, wait 24-48 hours for the next DMARC reporting cycle. Check that the sender now shows alignment passing — not just SPF or DKIM passing individually.

This isn't a one-time fix

Email authentication tends to break alignment again because:

Most third-party senders start misaligned by default

When your organization adopts a new service that sends email — a CRM, marketing tool, ticketing system, billing platform — its default configuration almost always uses the platform's own domain for SPF and DKIM. Alignment has to be configured per service, every time.

Services change their defaults

A platform that previously allowed custom DKIM may change its onboarding flow, reset signing defaults during migrations, or introduce new sending infrastructure that signs differently. What was aligned last quarter may not be today.

Shadow IT is constant

Marketing, HR, sales, and individual employees adopt SaaS tools that send email as your domain without going through IT. Each one is a potential alignment failure that only shows up in your DMARC reports — if you're reading them.

Forwarding breaks SPF alignment permanently

If a sender is relying on SPF-only alignment, any recipient who forwards that mail breaks the alignment. DKIM alignment survives forwarding, which is why it should be the primary alignment mechanism for every sender.

The most reliable way to catch alignment failures across all senders is continuous monitoring of DMARC aggregate reports.

Related content