ESPs, subdomains, and the "can't get DKIM to align w/ DMARC" rabbit hole
A recurring forum storyline: you set up an ESP, authentication tools say it's fine, yet DMARC alignment is still broken. This usually comes down to how the ESP signs DKIM (d=), whether you're using a custom sending domain, and whether you should isolate with a sending subdomain.
You’ve done everything right. You signed up for an Email Service Provider (ESP) like Mailchimp, SendGrid, or Postmark. You followed their setup wizard. Their dashboard says “Authenticated!” with green checkmarks everywhere.
Yet, your DMARC reports show a sea of red (or orange). Or worse, you keep seeing that DKIM Alignment Failed message.
Welcome to the rabbit hole. Let’s climb out.
1. The “can’t get DKIM to align” headache
Here is the scenario: You send an email through your ESP. It arrives. The headers show DKIM-Signature: v=1; ... so you know it’s signed.
But DMARC fails. Why?
Because of the d= tag in that signature.
Many ESPs, by default, sign emails with their own domain keys. Your From header says [email protected], but the DKIM signature says d=sendgrid.net or d=mailchimpapp.net.
DMARC looks at this and says: “The message claims to be from yourcompany.com, but the digital signature belongs to sendgrid.net. These do not match. Alignment Failed.”
2. Subdomains vs. root domains and the blast radius
Before fixing the alignment, ask yourself: Should this traffic even be on my root domain?
If you are sending marketing blasts, newsletters, or third-party notifications, it is often best practice to use a subdomain.
Keep your root domain (example.com) pristine for corporate email where executives, sales, and support talk to humans. Use subdomains like news.example.com for newsletters and receipts.example.com for transactional receipts.
Why bother? If your marketing team accidentally spams a list and tanks the reputation of news.example.com, your CEO’s emails from example.com will likely still land in the inbox. This is “containing the blast radius.” It does not mean that your marketing team should do stupid things: you can still get your pristine IPs blacklisted.
3. ESP reality: you must win on DKIM alignment
We discussed in a previous post that DMARC requires either SPF or DKIM to align. In the world of modern SaaS and ESPs, SPF alignment is often impossible.
Why? Because to align SPF, the ESP must use your domain in the Return-Path (bounce address). While some providers (Postmark, Amazon SES) allow you to set up a “Custom Return-Path” via CNAME, many others (especially on lower tiers) do not.
This means DKIM is your lifeline.
You absolutely must get DKIM to align. If SPF is misaligned (common) and DKIM is misaligned (default), DMARC fails completely.
4. What to ask your ESP
To fix the d= mismatch, you need to set up “Custom Domain Authentication” or “Domain Whitelabeling” in your ESP. Here is what you are looking for:
- Tell them you need to authenticate your domain, not just verify your email address.
- Ask for the DKIM signature to use
d=example.com. - Ask if they support custom DKIM selectors, which is useful if you use multiple services on the same domain.
Once you configure this, usually by adding CNAME records to your DNS, the ESP will start signing with d=yourcompany.com (or d=news.example.com).
The result: From: example.com matches d=example.com. DKIM alignment passes. DMARC passes.
5. DNS gotchas users actually hit
Even when you know what to do, the implementation often trips people up.
Watch out for the _dmarc label. When adding your DMARC record, your DNS provider might append your domain automatically. If you type _dmarc.example.com into the field, you might end up with _dmarc.example.com.example.com. Use a tool like dig or our DMARC checker to verify.
DNS is not instant. TXT records such as DMARC entries or DKIM keys can take time to propagate on the internet. If you verify immediately and it fails, wait an hour. Use our DMARC checker to verify propagation.
Selector collisions are another common issue. If you use two different SendGrid accounts for the same domain, they might try to use the same default selector (e.g., s1._domainkey). You’ll need to rotate one to a custom selector.
FAQ: quick answers
Should I use a subdomain for Mailchimp/SendGrid?
Yes. It protects your primary domain’s reputation. news.example.com is safer than example.com for bulk mail. But keep in mind that the most important thing is to send mail that is relevant to your users. Google and Yahoo will monitor the open rate and how their users interact with your communications. Keep your list fresh, remove non active users, etc. For more on sender reputation and deliverability, see our 2026 deliverability stack guide.
How do I make DKIM align?
You must configure “Domain Authentication” or “DKIM Signing” within your ESP’s settings. This usually involves adding CNAME records to your DNS so they can sign as you. The post above tries to explain the process.
Why does my tester say misaligned?
Check the raw headers of an email. Look for DKIM-Signature. If the d= value does not match your From address domain, it is misaligned. Everything is in the headers, and most of the important information is, in fact, readable by humans: you will know if the DKIM signature was accepted or not.
