DMARC Alignment Explained

Why SPF and DKIM pass but DMARC still fails. And how to fix it.

You set up SPF. You configured DKIM. Both show "pass" in your email headers. And yet DMARC still fails. If that sounds familiar, you are not alone. This guide explains exactly why it happens, and what to do about it.

What you will learn

Why SPF or DKIM passing is not enough for DMARC to pass
What relaxed and strict alignment mean, with concrete examples
How SPF and DKIM alignment differ, and which is easier to achieve
How to diagnose and fix the most common alignment failures

SPF passes. DKIM passes. DMARC fails. What?

Here is the scenario. Your mail server reports both SPF and DKIM as "pass". Your DMARC aggregate reports show failures. It feels like a contradiction.

It is not. DMARC does not just check whether SPF and DKIM pass. It checks whether the domain that passed SPF or DKIM matches the domain in the From: header that your recipient actually sees. This match is called alignment.

The impersonation problem alignment solves

Without alignment, an attacker could do this:

From: [email protected] <-- what the recipient sees Return-Path: [email protected] <-- what SPF actually checks DKIM-Signature: d=evil.com <-- what DKIM actually authenticated

SPF passes for evil.com. DKIM passes for evil.com. But the recipient sees yourcompany.com in their inbox. Without alignment, nothing catches the mismatch.

DMARC closes this gap. For DMARC to pass, the domain authenticated by SPF or DKIM must align with the From: domain. Either one is sufficient.

What alignment means

Every email carries two different "From" concepts that most people rarely think about:

  • RFC 5322.From (the visible From: header). This is the sender address your recipient sees in their email client. It is what matters for trust and brand recognition.
  • The envelope sender (Return-Path). This is the address used behind the scenes for bounce handling. SPF checks this address, not the From: header.
  • The DKIM d= domain. This is the domain that signed the email with a private key. It is declared in the DKIM-Signature header.

Alignment means the domain in the visible From: header must match either the Return-Path domain (for SPF alignment) or the DKIM d= domain (for DKIM alignment). Without this check, a sender could authenticate successfully for one domain while impersonating another in the From: header.

Relaxed vs strict alignment

DMARC supports two alignment modes: relaxed and strict. You set them independently for SPF and DKIM using the aspf and adkim tags in your DMARC record.

Relaxed (default)

Set with aspf=r or adkim=r (or omit, since relaxed is the default).

The authenticated domain and the From: domain must share the same organizational domain. Subdomains are allowed.

PASS mail.example.com aligns with example.com
PASS send.example.com aligns with example.com
FAIL example.net does not align with example.com

Strict

Set with aspf=s or adkim=s.

The authenticated domain must exactly match the From: domain. No subdomain flexibility.

PASS example.com aligns with example.com
FAIL mail.example.com does NOT align with example.com
FAIL send.example.com does NOT align with example.com

Recommendation: Start with relaxed alignment (the default). Strict alignment breaks many legitimate email setups, including marketing platforms and transactional services that send from subdomains. Switch to strict only if you have a specific security requirement and have audited all your senders.

SPF alignment: the Return-Path problem

When SPF runs, it does not check the From: address your recipient sees. It checks the Return-Path (also called the envelope-from or MAIL FROM). The Return-Path is the address used for bounce messages, and it is often set by whoever sends the email, not by you.

This is the core of most SPF alignment failures. Third-party email senders, such as marketing platforms or CRM tools, routinely use their own Return-Path domain for bounce tracking. The SPF check passes for their domain, but it does not align with your From: domain.

# A marketing email sent via a third-party platform From: [email protected] Return-Path: [email protected] # SPF check: is send.thirdparty.com authorized to send? # -> YES (passes SPF for thirdparty.com) # SPF alignment check: does send.thirdparty.com match yourcompany.com? # -> NO (SPF alignment fails) # DMARC result: SPF alignment FAIL # (DMARC may still pass if DKIM alignment passes)

How to fix SPF alignment for third-party senders

You have two options:

  1. Configure a custom Return-Path on your domain. Many email platforms let you set up a custom bounce domain like bounces.yourcompany.com. This requires a DNS CNAME pointing to the platform and some platform configuration. Once set up, SPF will align because the Return-Path is on your organizational domain.
  2. Rely on DKIM alignment instead. This is often the simpler path. Configure your email platform to sign outgoing mail with a DKIM key from your domain (d=yourcompany.com). If DKIM aligns, DMARC passes. You do not need SPF alignment at all.

DKIM alignment: the d= tag

DKIM alignment checks the d= tag in the email's DKIM-Signature header. This tag declares which domain signed the message. For DKIM to align, that domain must match the From: header domain (under relaxed or strict rules).

# Aligned: d= matches the From: domain (relaxed mode) From: [email protected] DKIM-Signature: v=1; d=yourcompany.com; s=mail; ... # -> DKIM alignment PASS # Aligned: d= is a subdomain (relaxed mode accepts this) From: [email protected] DKIM-Signature: v=1; d=mail.yourcompany.com; s=outbound; ... # -> DKIM alignment PASS (relaxed) # -> DKIM alignment FAIL (strict) # Not aligned: d= is a different organization's domain From: [email protected] DKIM-Signature: v=1; d=mailchimp.com; s=k1; ... # -> DKIM alignment FAIL (any mode)

Most email service providers (ESPs) allow you to configure DKIM signing with your own domain. Look for settings labeled "custom DKIM domain," "domain authentication," or "sending domain" in your platform. Once configured, they sign outgoing emails with d=yourcompany.com, which aligns with your From: header.

For more on how DKIM signatures work under the hood, see the DKIM overview.

Common alignment failures and how to fix them

Scenario What fails Why How to fix
Third-party sender with default config SPF alignment Return-Path is @thirdparty.com, not your domain Enable DKIM signing with your domain on the platform, or configure a custom bounce domain
Email forwarding SPF alignment (and sometimes DKIM) Forwarder changes the Return-Path. Body modifications also break DKIM Cannot prevent forwarding failures. ARC (Authenticated Received Chain) helps, but recipient mail servers must support it
Subdomain sender with strict alignment Both SPF and DKIM mail.example.com does not exactly match example.com in strict mode Switch to relaxed alignment (aspf=r adkim=r), or change the From: domain to match exactly
ESP signing with their own domain DKIM alignment DKIM d= is mailplatform.com, not yourcompany.com Configure the ESP to sign with your domain (custom DKIM setup in the ESP's dashboard)
Mailing list with content modifications DKIM (signature broken) and SPF alignment List software adds footers, changes subject lines, rewrites Return-Path No easy fix. Consider using a subdomain for list mail (lists.yourcompany.com) with its own DMARC record

Configuring alignment in your DMARC record

Alignment is configured using two optional tags in your DMARC DNS record: aspf (for SPF alignment) and adkim (for DKIM alignment). Both default to r (relaxed) if omitted.

# Default: both SPF and DKIM use relaxed alignment _dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]" # Explicit relaxed alignment (same as above) _dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; aspf=r; adkim=r; rua=mailto:[email protected]" # Strict DKIM alignment, relaxed SPF alignment _dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; aspf=r; adkim=s; rua=mailto:[email protected]" # Strict alignment for both (rarely recommended) _dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; aspf=s; adkim=s; rua=mailto:[email protected]"
Tag Values Default What it controls
aspf r, s r SPF alignment mode. r = relaxed (subdomain OK), s = strict (exact match only)
adkim r, s r DKIM alignment mode. r = relaxed (subdomain OK), s = strict (exact match only)

Use the DMARC generator to build a DMARC record with the right alignment settings for your domain. If you are also looking at your SPF setup, the SPF generator can help you build and validate your SPF record.

Diagnosing alignment failures

The fastest way to find alignment problems is to look at your DMARC aggregate reports. Each report entry shows you the source IP, the SPF and DKIM pass/fail results, and whether each aligned with the From: domain.

# In a raw DMARC aggregate report (simplified): <record> <auth_results> <spf> <domain>send.thirdparty.com</domain> <-- SPF authenticated this domain <result>pass</result> </spf> <dkim> <domain>thirdparty.com</domain> <-- DKIM authenticated this domain <result>pass</result> </dkim> </auth_results> <policy_evaluated> <spf>fail</spf> <-- SPF did not align <dkim>fail</dkim> <-- DKIM did not align <disposition>quarantine</disposition> <-- email was quarantined </policy_evaluated> </record>

When you see spf=pass inside auth_results but spf=fail inside policy_evaluated, that is a classic alignment failure. The SPF check passed, but the domain that passed SPF did not match your From: domain. The same pattern applies to DKIM.

You can verify your current DNS setup with the domain checker, which shows your live DMARC, SPF, and DKIM configuration.

Why alignment matters for security: Without alignment, a phisher could send an email that passes both SPF and DKIM by using their own domain, while showing your brand's address in the From: header. Alignment is what connects authentication results to the address your recipients trust.

Next steps

  1. Check your aggregate reports. Look for rows where policy_evaluated shows DKIM or SPF alignment failures even though auth_results shows a pass.
  2. Identify misaligned senders. Each misaligned source IP points to a service you need to configure. Find and fix them one by one.
  3. Configure DKIM signing per sender. Enable custom DKIM domains on each email platform you use. This is usually the most reliable path to DMARC alignment.
  4. Consider a custom bounce domain for SPF. If you cannot configure DKIM on a particular service, a custom Return-Path on your domain will fix SPF alignment for that sender.
  5. Move toward enforcement. Once alignment failures drop to near zero, advance your DMARC policy from none to quarantine, and eventually to reject.

Learn more

Was this page helpful? Send us feedback

Last updated: March 2026

← Back to Home Start now