DMARC Alignment Failure: Why SPF/DKIM Pass But DMARC Fails

SPF and DKIM both pass but DMARC still fails? The problem is alignment. Learn what DMARC alignment means and how to fix relaxed vs strict alignment issues.

9 min readerrorsThomas Johnson

What This Error Means

DMARC alignment failure occurs when SPF and DKIM both pass but DMARC still fails. The cause: the domains authenticated by SPF and DKIM do not match the domain in the From: header. This matching requirement — called alignment — is what makes DMARC effective against spoofing. The fix: configure your sending services to authenticate with your domain, not theirs.

This is one of the most confusing situations in email authentication. You have checked your email headers and confirmed that SPF passes and DKIM passes. Yet the Authentication-Results header says dmarc=fail.

DMARC does not just check whether SPF and DKIM succeed. It checks whether the domains authenticated by SPF and DKIM match the domain in the From: header that the recipient sees. This matching requirement is called alignment (RFC 7489 Section 3), and it is the core innovation that makes DMARC effective against spoofing.

Without alignment, an attacker could set up valid SPF and DKIM for evil-domain.com, then send email with a From: header of ceo@yourcompany.com. SPF would pass (for evil-domain.com), DKIM would pass (for evil-domain.com), but the recipient would see yourcompany.com in their inbox. Alignment prevents this.

How DMARC Alignment Works

For DMARC to pass, at least one of the following must be true:

SPF Alignment

The domain in the Return-Path header (also called the envelope sender or MAIL FROM) must align with the domain in the From: header.

Return-Path: <bounces@yourcompany.com>    <- SPF authenticates this domain
From: support@yourcompany.com              <- Recipient sees this domain

SPF checks whether the sending IP is authorized for the Return-Path domain. DMARC then checks whether that Return-Path domain matches the From: domain. Both must succeed for SPF alignment to pass.

DKIM Alignment

The domain in the DKIM signature's d= tag must align with the domain in the From: header.

DKIM-Signature: ... d=yourcompany.com; ...  <- DKIM authenticates this domain
From: support@yourcompany.com                <- Recipient sees this domain

DKIM verifies the signature using the public key published at the d= domain. DMARC then checks whether that d= domain matches the From: domain.

Relaxed vs Strict DMARC Alignment

DMARC supports two alignment modes, controlled by the aspf= (SPF) and adkim= (DKIM) tags in your DMARC record. Use the mxio DMARC Checker to see which mode your domain uses.

Relaxed Alignment (Default)

With relaxed alignment (aspf=r or adkim=r), the authenticated domain and the From: domain only need to share the same organizational domain (the registered domain). Subdomains match their parent domain.

Authenticated Domain From: Domain Relaxed Alignment
yourcompany.com yourcompany.com Pass
mail.yourcompany.com yourcompany.com Pass
yourcompany.com news.yourcompany.com Pass
bounce.esp.com yourcompany.com Fail

Strict Alignment (aspf=s or adkim=s)

With strict alignment, the domains must match exactly. Subdomains do not match their parent.

Authenticated Domain From: Domain Strict Alignment
yourcompany.com yourcompany.com Pass
mail.yourcompany.com yourcompany.com Fail
yourcompany.com news.yourcompany.com Fail
bounce.esp.com yourcompany.com Fail

Most domains should use relaxed alignment (the default). Strict alignment is only needed in high-security environments where you require exact domain matching.

Common Alignment Failure Scenarios

Scenario 1: Third-Party ESP Using Its Own Domain

The problem: You use a marketing platform like Mailchimp or HubSpot. The email shows From: you@yourcompany.com, but the platform sends the message using its own infrastructure. Without custom DKIM signing configured, the DKIM signature uses d=mailchimp.com (or similar). The Return-Path is also set to a Mailchimp domain for bounce handling.

Header example:

Return-Path: <bounce-mc.us1_123456@mail234.atl41.mcsv.net>
From: newsletter@yourcompany.com
DKIM-Signature: v=1; ... d=yourcompany.com; s=k1; ...
    (this only exists if you've set up custom DKIM)
DKIM-Signature: v=1; ... d=mail234.atl41.mcsv.net; s=...; ...
    (this is the default platform signature)

Authentication-Results: mx.google.com;
    spf=pass smtp.mailfrom=mail234.atl41.mcsv.net;
    dkim=pass header.d=mail234.atl41.mcsv.net;
    dmarc=fail header.from=yourcompany.com

SPF passes for mcsv.net. DKIM passes for mcsv.net. But neither aligns with yourcompany.com in the From: header. DMARC fails.

Fix: Configure custom DKIM signing in your ESP's settings. Most platforms support this by having you add CNAME records to your DNS that delegate DKIM signing authority:

k1._domainkey.yourcompany.com  CNAME  dkim.mcsv.net
k2._domainkey.yourcompany.com  CNAME  dkim2.mcsv.net

Once configured, the platform signs with d=yourcompany.com, and DKIM alignment passes. Verify with the mxio DKIM Checker.

Scenario 2: Transactional Email Service with Default Return-Path

The problem: You use SendGrid, Amazon SES, or Postmark for transactional email (password resets, order confirmations). The service uses its own bounce domain as the Return-Path, which breaks SPF alignment.

Header example:

Return-Path: <bounces+12345@em1234.sendgrid.net>
From: noreply@yourcompany.com

SPF passes for sendgrid.net, but sendgrid.net does not align with yourcompany.com.

Fix: Most transactional services support custom Return-Path (also called "branded links" or "domain authentication"):

  • SendGrid: Set up Domain Authentication, which configures a custom Return-Path subdomain like em1234.yourcompany.com
  • Amazon SES: Configure a custom MAIL FROM domain
  • Postmark: Set up a custom Return-Path domain

Also configure DKIM with your domain as a belt-and-suspenders approach. For details on how SPF, DKIM, and DMARC work together across these services, see the Email Authentication Guide.

Scenario 3: Email Forwarding

The problem: A recipient has forwarding set up (user@university.edu forwards to user@gmail.com). The forwarding server relays the message, but its IP is not in your SPF record. SPF fails. If the forwarding server also modifies the message (adds a footer, changes headers), DKIM fails too. Even if SPF or DKIM passes at the technical level, the domains do not align with your From: header.

Header example:

Return-Path: <SRS0=abcd=XX=yourcompany.com=user@university.edu>
From: colleague@yourcompany.com

If the university uses SRS (Sender Rewriting Scheme), the Return-Path domain becomes university.edu. SPF passes for university.edu, but that does not align with yourcompany.com.

Fix: This is largely outside your control. Your best defenses:

  1. Always configure DKIM — DKIM signatures survive forwarding if the body is not modified, and d=yourcompany.com still aligns
  2. Use relaxed alignment — Do not use adkim=s or aspf=s unless you have a specific reason
  3. Support ARC — Authenticated Received Chain (RFC 8617) preserves authentication across forwarding hops. Major receivers (Gmail, Microsoft) validate ARC chains

Scenario 4: Subdomain Mismatch with Strict Alignment

The problem: Your application sends email from alerts@app.yourcompany.com, and DKIM signs with d=app.yourcompany.com. Your DMARC record specifies adkim=s (strict DKIM alignment). Meanwhile, another service sends from @yourcompany.com with d=yourcompany.com. The subdomain email fails because app.yourcompany.com does not strictly match yourcompany.com (even though it passes relaxed alignment).

Fix: Switch to relaxed alignment (the default), or ensure each subdomain has DKIM configured to sign with an exactly matching d= domain.

Scenario 5: CRM, Support Desk, or Email Security Service Sending "On Behalf Of"

The problem: Salesforce, Zendesk, Freshdesk, or an email security service like MailRoute sends email "on behalf of" your users. The From: header shows your domain, but the actual sending infrastructure and DKIM signature belong to the vendor.

Fix: Configure the vendor to use DKIM signing with your domain. Most enterprise CRM, support, and email security platforms support custom DKIM:

  • Salesforce: Set up Email Deliverability with DKIM signing
  • Zendesk: Configure SPF and DKIM in the email settings
  • Freshdesk: Set up custom DKIM via DNS CNAME records
  • MailRoute: Configure outbound DKIM signing in the MailRoute admin panel

How to Diagnose Alignment Failures

Step 1: Get the Full Headers

From the failing message, export the full email headers. In Gmail: open the message, click the three-dot menu, select "Show original." In Outlook: open message properties to view internet headers.

Step 2: Analyze with Header Analyzer

Paste the headers into the mxio Header Analyzer. Look specifically at the Authentication-Results header. A typical alignment failure looks like:

Authentication-Results: mx.google.com;
    dkim=pass header.d=thirdparty.com header.s=selector1;
    spf=pass (google.com: domain of bounce@thirdparty.com designates
        203.0.113.10 as permitted sender) smtp.mailfrom=bounce@thirdparty.com;
    dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=yourcompany.com

This tells you:

  • DKIM passed, but for thirdparty.com (not yourcompany.com)
  • SPF passed, but for thirdparty.com (not yourcompany.com)
  • DMARC failed because neither aligned with yourcompany.com

Step 3: Identify the Misaligned Domain

Compare three domains from the headers:

Header Domain Purpose
From: yourcompany.com What the recipient sees
Return-Path: / smtp.mailfrom= thirdparty.com What SPF authenticates
DKIM-Signature: d= / header.d= thirdparty.com What DKIM authenticates

If neither the SPF domain nor the DKIM domain matches the From: domain, alignment fails.

Step 4: Check Your DMARC Record

Use the mxio DMARC Checker to see your alignment settings. If aspf=s or adkim=s is present, you are using strict alignment, which could be causing subdomain mismatches.

Prevention and Ongoing Monitoring

  • Configure custom DKIM for every third-party sender — This is the single most effective step. DKIM alignment is more reliable than SPF alignment because DKIM survives forwarding
  • Use relaxed alignment — Do not add aspf=s or adkim=s unless you have a specific security requirement
  • Test each sending service — After configuring a new ESP or service, send a test email and check the Authentication-Results header to confirm alignment passes
  • Monitor DMARC reports — Aggregate reports (rua=) show alignment pass/fail for every source, making it easy to identify misconfigured services
  • Audit your sender inventory — Maintain a list of every service authorized to send email as your domain, and verify DKIM/SPF alignment for each

Set up domain health monitoring to catch alignment failures across all your sending sources. mxio monitors your DMARC configuration continuously — you know the moment alignment breaks for any source.

Was this article helpful?

Related Articles

Why Is DMARC Failing? Causes and How to Fix Iterrors

DMARC authentication is failing for your domain. Understand the most common causes — alignment issues, missing records, third-party senders — and fix them.

Fix Gmail Error 550 5.7.26: Email Rejected Due to DMARC Policyerrors

Gmail is rejecting your email with error 550 5.7.26 because it fails DMARC authentication. Learn exactly why this happens and how to fix it.

Why Are My Emails Going to Spam? How to Fix Iterrors

Emails landing in spam? Diagnose the most common causes — missing authentication, blacklisted IPs, content issues — and fix them step by step.

No DMARC Record Found: How to Set Up DMARC from Scratcherrors

Your domain has no DMARC record. Learn why DMARC matters, how to create your first record, and the recommended rollout path from monitoring to enforcement.

DMARC Deployment Guide: From p=none to p=rejectguides

Step-by-step guide to deploying DMARC on your domain. Start with monitoring, identify unauthorized senders, and safely progress to full enforcement.

Complete Guide to Email Authentication in 2026guides

Understand how SPF, DKIM, and DMARC work together to protect your domain from spoofing and improve email deliverability. A practical guide for email administrators.

Why Email Forwarding Breaks Authentication (And How to Fix It)guides

Email forwarding breaks SPF and can cause DMARC failures. Learn how SRS fixes SPF, why DKIM alignment matters for forwarded mail, and what domain owners and recipients can do.

DMARC Technical Reference (RFC 7489)standards

Annotated walkthrough of RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance. Policy tags, alignment, reporting, and security considerations from the spec itself.