The symptom: green ESP checks, a DMARC fail anyway
Your email service provider reports the campaign as authenticated. The delivered message shows spf=pass and dkim=pass. Yet a DMARC aggregate report counts the same source as failing, or Gmail shows a "via mcsv.net" style label next to the sender name. The email fails DMARC because DMARC requires an aligned pass, not just any pass.
RFC 9989 section 5.3.5 (DMARCbis, which obsoletes RFC 7489) states that if one or more of the authenticated identifiers align with the Author Domain, the message is considered to pass the DMARC mechanism check. An ESP that sends on shared infrastructure typically passes SPF on its own bounce domain and signs DKIM with its own d= domain. Both pass. Neither aligns. DMARC fails.
We cover the mechanism in depth in two companion posts. Read why emails fail DMARC through Mailchimp, SendGrid and Klaviyo for the per-provider walkthrough, and DMARC, SPF, DKIM alignment explained for the alignment model. This guide is the short diagnostic path.
Step 1: read the delivered headers
Send one campaign to a mailbox you control, then open the raw headers (in Gmail: "Show original"). Find the Authentication-Results header. A failing ESP message looks like this:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates ...) [email protected];
dkim=pass header.d=mcsv.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com
Both SPF and DKIM say pass. The DMARC line still says fail, and the reason is in the domains: SPF authenticated mcsv.net, DKIM signed header.d=mcsv.net, but header.from is yourdomain.com. The authenticated identifiers and the From domain are different organizational domains, so neither aligns.
You can paste the same headers into the email header analyzer to get the verdict without parsing by eye.
Step 2: compare the three domains
Alignment is a comparison of three things. Write them down for the failing message:
-
From domain: the domain in the visible
From:header. This is the DMARC identity (RFC 9989 section 3.2.10). -
DKIM
d=domain: the domain in thedkim=pass header.d=value. DKIM aligns when its organizational domain equals the From organizational domain in relaxed mode, the default (RFC 9989 section 3.2.10.1). -
Return-Path / MAIL FROM domain: the envelope sender shown in
smtp.mailfrom. SPF aligns when its organizational domain equals the From organizational domain in relaxed mode (RFC 9989 section 3.2.10.1).
In the example above, From is yourdomain.com while both d= and smtp.mailfrom are mcsv.net. Two mismatches, so DMARC has no aligned pass to rely on. The fix is to move at least one of those identifiers under your own domain.
Step 3: turn on the ESP's domain authentication
Every major ESP has a feature that publishes DNS records so the campaign signs DKIM with your domain and bounces through a Return-Path under your domain. Once either path aligns, DMARC passes. The provider keeps sending on its own infrastructure, so deliverability does not regress.
| ESP | Feature name | DNS records it adds | What aligns after |
|---|---|---|---|
| Mailchimp | Email Domain Authentication | 2 CNAME (DKIM) + 1 TXT (DMARC) = 3 total | DKIM signs d=yourdomain.com; "via mcsv.net" disappears |
| SendGrid | Domain Authentication (Automated Security) | 3 CNAME: one em#### Return-Path record + two DKIM selectors s1/s2
|
DKIM d=yourdomain.com and Return-Path under em####.yourdomain.com
|
| Klaviyo | Branded (dedicated) sending domain | NS or CNAME delegation records for the sending subdomain (no DMARC record; you add that yourself) | From domain aligns with the sending domain; "via klaviyomail.com" disappears |
A few record-level details to keep straight. In Mailchimp only the two DKIM records are CNAMEs, the DMARC record is a TXT, per Mailchimp's domain authentication guide. SendGrid's two selectors (s1, s2) exist so keys can rotate without an outage, and the em#### record already places the Return-Path under your domain, so SPF aligns at the organizational level with nothing extra, per SendGrid's setup documentation. Klaviyo does not publish a DMARC record for you. Per Klaviyo's dedicated sending domain guide, setting up DMARC is an external process you perform at your own DNS provider, so you add the _dmarc TXT record yourself after the sending domain is verified.
Step 4: get the record-level steps from the setup guide
The exact Name and Value pairs come from each provider's dashboard and differ per account. For the field-by-field walkthrough, follow the matching setup guide:
- Mailchimp DKIM: set up DKIM for Mailchimp.
- SendGrid SPF: set up SPF for SendGrid.
- SendGrid DKIM: set up DKIM for SendGrid.
- Why the Return-Path matters for SPF alignment: Return-Path and DMARC.
Step 5: validate the fix
After the provider reports the records verified, send a fresh campaign and read the headers again. A passing message shows your domain in both authenticated identifiers:
Authentication-Results: mx.google.com;
spf=pass [email protected];
dkim=pass header.d=yourdomain.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com
The dkim=pass header.d= value now matches your From organizational domain, so DKIM aligns and DMARC passes. You can also confirm the published policy and the rest of your records with the free DMARC checker.
DMARC aggregate reports confirm the same thing, but they arrive roughly once per day, so they are slow for a same-hour check. To verify a specific ESP's alignment in minutes instead, use the Inbox Inspector: it gives you a seed address per domain, receives the campaign as a real MTA, then evaluates SPF, DKIM, DMARC and alignment itself rather than trusting the ESP's headers, and auto-detects the provider. The per-message verdict timeline shows exactly which identifier aligned.
If alignment is configured and it still fails
A few cases survive domain authentication:
-
Strict alignment. If your DMARC record sets
adkim=soraspf=s(the alignment tags are defined in RFC 9989 section 4.7), the match must be the exact FQDN, not just the organizational domain (strict alignment, RFC 9989 section 3.2.10.2). An ESP using a subdomain likeem1234.yourdomain.comaligns under relaxed mode but not strict. Read ESPs, subdomains and DKIM alignment. - Cached old record. Receivers honor TTL. Wait at least one TTL after publishing the new DNS, then re-test with a fresh message rather than reusing an old report row.
- Mixed sources. If the same From domain also sends through other tools, each one needs its own aligned authentication. A single failing source still shows up in reports.
Related fixes
- If you are unsure which identifier is misaligned, read DMARC alignment issues.
- If SPF itself returns permerror or too many lookups, read SPF errors.
- If DKIM signatures verify but the message still fails, read DKIM failures.
- If you have more than one DKIM record at a selector, read multiple DKIM records.
- If your reports show DMARC passing but spoofing continues, read DMARC passes but spoofing continues.