ESPs, subdomains, and the “Can’t get DKIM to align w/ DMARC” rabbit hole
A recurring forum storyline: you set up an ESP, authentication tools say it’s fine, yet DMARC alignment is still broken. This usually comes down to how the ESP signs DKIM (d=), whether you’re using a custom sending domain, and whether you should isolate with a sending subdomain.
You’ve done everything right. You signed up for a reputable Email Service Provider (ESP) like Mailchimp, SendGrid, or Postmark. You followed their setup wizard. Their dashboard says "Authenticated!" with green checkmarks everywhere.
Yet, your DMARC reports show a sea of red (or orange). Or worse, you keep seeing that DKIM Alignment Failed.
Welcome to the rabbit hole. Let’s climb out.
1. The "Can't Get DKIM to Align" Headache
Here is the scenario: You send an email through your ESP. It arrives. The headers show DKIM-Signature: v=1; ... so you know it's signed.
But DMARC fails. Why?
Because of the d= tag in that signature.
Many ESPs, by default, sign emails with their own domain keys.
- From Header:
[email protected] - DKIM Signature:
d=sendgrid.net(ord=mailchimpapp.net)
DMARC looks at this and says: "The message claims to be from yourcompany.com, but the digital signature belongs to sendgrid.net. These do not match. Alignment Failed."
2. Subdomains vs. Root Domains: The Blast Radius
Before fixing the alignment, ask yourself: Should this traffic even be on my root domain?
If you are sending marketing blasts, newsletters, or third-party notifications, it is often best practice to use a subdomain.
- Root Domain (
example.com): Keep this pristine for corporate email (CEOs, sales, support) talking to humans. - Subdomain (
news.example.com): Use this for newsletters. - Subdomain (
receipts.example.com): Use this for transactional receipts.
Why? If your marketing team accidentally spams a list and tanks the reputation of news.example.com, your CEO’s emails from example.com will likely still land in the inbox. This is "containing the blast radius.". It does not mean that your marketing team should do stupid things: you still can get your pristine IPs blacklisted.
3. ESP Reality: You MUST Win on DKIM Alignment
We discussed in a previous post that DMARC requires either SPF or DKIM to align. In the world of modern SaaS and ESPs, SPF alignment is often impossible.
Why? Because to align SPF, the ESP must use your domain in the Return-Path (bounce address). While some providers (Postmark, Amazon SES) allow you to set up a "Custom Return-Path" (CNAME), many others (especially on lower tiers) do not.
This means DKIM is your lifeline.
You absolutely must get DKIM to align. If SPF is misaligned (common) and DKIM is misaligned (default), DMARC fails completely.
4. What to Ask Your ESP (The Checklist)
To fix the d= mismatch, you need to set up "Custom Domain Authentication" or "Domain Whitelabeling" in your ESP. Here is what you are looking for:
- "I need to authenticate my domain." (Not just verify my email address).
- "I need the DKIM signature to use
d=example.com." - "Do you support custom DKIM selectors?" (Essential if you use multiple services on the same domain).
Once you configure this, usually by adding CNAME records to your DNS, the ESP will start signing with d=yourcompany.com (or d=news.example.com).
Result: From: example.com matches d=example.com. DKIM Alignment Passes. DMARC Passes.
5. The DNS Gotchas Users Actually Hit
Even when you know what to do, the implementation often trips people up.
- The
_dmarcLabel: When adding your DMARC record, your DNS provider might append your domain automatically. If you type_dmarc.example.cominto the field, you might end up with_dmarc.example.com.example.com. Use a tool likedigor our DMARC checker to verify. - Propagation Patience: DNS is not instant. TXT records such as DMARC entries or DKIM keys can take time to propagate on the internet. If you verify immediately and it fails, wait an hour.
- Selector Collisions: If you use two different SendGrid accounts for the same domain, they might try to use the same default selector (e.g.,
s1._domainkey). You’ll need to rotate one to a custom selector.
FAQ: Quick Answers
Should I use a subdomain for Mailchimp/SendGrid?
Yes. It protects your primary domain's reputation. news.example.com is safer than example.com for bulk mail. But keep in mind that the most important thing is to send mail that is relevant to your users. Google and Yahoo will monitor the open rate and how their users interact with your communications. Keep your list fresh, remove non active users, etc...
How do I make DKIM align?
You must configure "Domain Authentication" or "DKIM Signing" within your ESP's settings. This usually involves adding CNAME records to your DNS so they can sign as you. The post above tries to explain the process.
Why does my tester say misaligned?
Check the raw headers of an email. Look for DKIM-Signature. If the d= value does not match your From address domain, it is misaligned. Everything is in the headers, and most of the important information is, in fact, readable by humans: you will know if the DKIM signature was accepted or not.