DMARCTrust
· 5 min read

DMARC, SPF, DKIM… and the thing everyone misses: Alignment

Forum threads keep repeating the same confusion: “SPF and DKIM pass, so why does DMARC fail?” The missing mental model is DMARC alignment. We explain aspf/adkim, organizational vs strict alignment, and why you likely rely on DKIM alignment more than you think.

DT
Marc, Owner

If you’ve ever stared at a DMARC report and thought, “Wait, SPF passed! DKIM passed! Why is DMARC failing?”... you are not alone.

It is the single most common confusion in email security, for everyone of us. Including me. You can have a perfectly valid SPF record and a valid DKIM signature, and DMARC will still look at your email and say, “Nope. Reject.”

The missing piece of the puzzle is Alignment.

Let’s break this down, not like a dry RFC document... but like we’re debugging it together.

1. ELI5: DMARC vs. SPF vs. DKIM (The "I'm Confused" Version)

Think of email authentication like checking ID at a secure building.

  • SPF (Sender Policy Framework): This is the guest list. The security guard checks if the IP address delivering the package (the truck) is on the approved list for that domain.
  • DKIM (DomainKeys Identified Mail): This is a wax seal on the envelope. It proves the message hasn’t been tampered with and was truly signed by someone with the key.
  • DMARC: This is the boss. It reads the instruction manual (your DMARC record) and decides what to do if the guest list (SPF) or the wax seal (DKIM) doesn't check out.

But here is the catch: The boss (DMARC) is very specific about who signed the guest list or the wax seal. It’s not enough to be signed; it must be signed by YOU.

2. “DMARC Failed, but SPF Pass” — What Alignment Actually Means

This is where it gets tricky. SPF checks the Return-Path (also called the Mail From address). This is the hidden technical address used for bounce messages, often added by your SMTP provider.

DMARC, however, looks at the From: header—the address the human user actually sees.

Alignment simply asks: Does the domain in the From: header match the domain validated by SPF or DKIM?

  • SPF Alignment: The Return-Path domain must match the From: domain.
  • DKIM Alignment: The d= domain in the DKIM signature must match the From: domain.

If SPF passes but the domains don't match, you have SPF Misalignment. DMARC considers this a fail for SPF.

3. Why “SPF Pass + DKIM Pass” Still Fails DMARC

Imagine you use a third-party service like Mailchimp or SendGrid to send email as [email protected].

  • The SPF Check: The email comes from SendGrid’s servers. SendGrid uses their own domain in the Return-Path (e.g., bounces.sendgrid.net) so they can process bounces for you. The receiving server checks SPF for sendgrid.net. It passes!
  • The DMARC Check: DMARC looks at your From: header: yourcompany.com. It compares it to the SPF validated domain: sendgrid.net.

Result: yourcompany.com != sendgrid.net. SPF Alignment Fails.

This happens constantly. Most SaaS providers (as far as we know: Help Scout, Shopify, HubSpot) will fail SPF alignment by default because they need to handle bounces.

The Solution? DKIM.

You can set up DKIM keys with these providers. They will sign the email with d=example.com. Now, DMARC sees the From: header is yourcompany.com and the DKIM signature is example.com. Alignment passes! DMARC is happy.

4. Relaxed vs. Strict Alignment (The "Strict" Backfire)

DMARC allows you to choose how strict this matching needs to be using the aspf (SPF alignment) and adkim (DKIM alignment) tags.

  • Relaxed (r) - Default: The base domains must match. sub.example.com aligns with example.com.
  • Strict (s): The domains must match exactly. sub.example.com does NOT align with example.com.

Warning: Don't enable strict mode unless you are absolutely sure of your infrastructure. If you use a subdomain for marketing (news.example.com) but sign it with the root domain key (example.com), strict alignment will fail, and your legitimate email might be rejected.

5. 2025 Deliverability Reality Check: Gmail & Yahoo

As of 2024/2025, major providers like Gmail have stopped guessing. If you send bulk mail, you must have DMARC. And to pass DMARC, you need alignment.

We are seeing more errors like 5.7.25 (authentication required) and 4.7.32 (DMARC check failed). These aren't just warnings anymore; they are blocks. At least, blocking means that you quickly get a signal on your side. Monitoring DMARC records (with us!) help you monitor the weak signals of deliverability.

If you are relying solely on SPF (which often breaks on forwarding) and ignoring DKIM alignment, you are playing a risky game with your deliverability.

FAQ: Quick Answers

Why does DMARC fail when SPF and DKIM pass?

Because the domains verified by SPF or DKIM do not match the domain in your "From" address. This is an alignment failure. Work on getting your own records!

What is SPF/DKIM alignment?

It is the requirement that the technical "authentication domain" matches the visible "From header" domain.

Do I need both SPF and DKIM to align?

No! DMARC requires either SPF or DKIM to align. However, aiming for both is best practice (though SPF alignment is often impossible with third-party tools).

How can I be sure that I am always aligned?

You will have to do a precise list of your sources. Which tools, ESP, SaaS did you allow to send e-mails on your behalf? The most effective way of doing it is to enable DMARC reports, with our tool. You will be surprised. Tom from the Marketing team might be using more tools than expected.

Read Next

View all posts
dmarc ·

ESPs, subdomains, and the “Can’t get DKIM to align w/ DMARC” rabbit hole

A recurring forum storyline: you set up an ESP, authentication tools say it’s fine, yet DMARC alignment is still broken. This usually comes down to how the ESP signs DKIM (d=), whether you’re using a custom sending domain, and whether you should isolate with a sending subdomain.

DT
DMARCTrust
4 min read