D
DMARC Record Checker

DMARC Alignment Explained: Why SPF and DKIM Aren't Enough

Learn what DMARC alignment is, why it matters, and how to fix alignment failures that cause DMARC to fail even when SPF and DKIM pass.

You've set up SPF and DKIM. They're both passing. But DMARC is still failing. What's going on?

The answer is usually alignment. DMARC requires that the domain authenticated by SPF or DKIM matches the domain in the From header. Without this match, DMARC fails even when the underlying checks pass.

What Is DMARC Alignment?

Alignment is the requirement that authenticated domains match the visible From address domain.

When you send an email, there are multiple domain identifiers:

  • From header domain: What recipients see (e.g., sender@example.com)
  • Envelope sender domain: The Return-Path used for bounces
  • DKIM signing domain: The domain in the DKIM signature (d= tag)

DMARC alignment ensures that at least one authenticated domain (SPF or DKIM) matches the From header domain. This prevents attackers from using their own authenticated domain while spoofing your From address.

Why Alignment Matters

Without alignment, SPF and DKIM don't actually protect against spoofing.

Consider this attack scenario:

  1. Attacker owns attacker.com with valid SPF and DKIM
  2. Attacker sends email with From: ceo@yourcompany.com
  3. Envelope sender is bounce@attacker.com (SPF passes for attacker.com)
  4. DKIM signs with d=attacker.com (DKIM passes for attacker.com)

Without DMARC alignment:

  • SPF passes (for attacker.com)
  • DKIM passes (for attacker.com)
  • Recipient sees email "from" yourcompany.com
  • Spoofing succeeds

With DMARC alignment:

  • SPF passes but doesn't align (attacker.com ≠ yourcompany.com)
  • DKIM passes but doesn't align (attacker.com ≠ yourcompany.com)
  • DMARC fails
  • Email blocked or quarantined

Alignment is what makes DMARC effective at stopping spoofing.

SPF Alignment

For SPF alignment, the domain in the envelope sender (Return-Path) must match the From header domain.

Aligned Example

From: notifications@example.com
Return-Path: bounces@example.com

Both use example.com, so SPF aligns.

Unaligned Example

From: notifications@example.com
Return-Path: bounces@emailservice.com

The domains don't match. SPF might pass for emailservice.com, but it doesn't align with example.com.

DKIM Alignment

For DKIM alignment, the domain in the DKIM signature (d= tag) must match the From header domain.

Aligned Example

From: hello@example.com
DKIM-Signature: d=example.com; s=selector; ...

The signing domain matches the From domain. DKIM aligns.

Unaligned Example

From: hello@example.com
DKIM-Signature: d=mailservice.com; s=selector; ...

The signature is valid, but for mailservice.com. DKIM doesn't align with example.com.

Relaxed vs Strict Alignment

DMARC supports two alignment modes:

Relaxed Alignment (Default)

With relaxed alignment, the organizational domain must match. Subdomains are allowed.

From: news@mail.example.com
Return-Path: bounces@example.com

Both share the organizational domain example.com. With relaxed alignment, this aligns.

Controlled by:

  • aspf=r for SPF (default)
  • adkim=r for DKIM (default)

Strict Alignment

With strict alignment, the domains must match exactly.

From: news@mail.example.com
Return-Path: bounces@example.com

The domains are different (mail.example.com vs example.com). With strict alignment, this does NOT align.

Controlled by:

  • aspf=s for SPF
  • adkim=s for DKIM

Most domains should use relaxed

Strict alignment is rarely necessary and creates more potential for legitimate email failures. Use relaxed unless you have specific security requirements.

Common Alignment Problems

Third-Party Email Services

Many email services use their own domain for SPF and DKIM by default:

Email Marketing Platforms: Mailchimp might use mail.mailchimp.com as the envelope sender and sign with their domain.

Transactional Email: SendGrid or Postmark may default to their own domains.

CRM Systems: Salesforce, HubSpot, and others often need custom configuration.

Solution: Configure custom domains in each service. Most providers offer:

  • Custom Return-Path domains for SPF alignment
  • DKIM signing with your domain

Email Forwarding

When email is forwarded, SPF often breaks:

  1. Original email passes SPF for sender's domain
  2. Forwarding server relays the email
  3. Recipient's server sees forwarding server's IP
  4. SPF fails because forwarding server isn't authorized for original domain

Solution: Ensure DKIM is properly configured. DKIM signatures survive forwarding (unless the message is modified), so DKIM alignment can save the email.

Subdomain Mismatches

From: support@help.example.com
DKIM-Signature: d=example.com

With strict alignment, this fails. With relaxed alignment, it passes (both share example.com).

Solution: Either:

  • Use relaxed alignment (default)
  • Configure DKIM to sign with the exact subdomain
  • Use the root domain in the From address

Checking Alignment

To diagnose alignment issues:

Check Email Headers

Look for the Authentication-Results header in received emails:

Authentication-Results: mx.google.com;
  dkim=pass header.d=example.com;
  spf=pass (google.com: domain of bounces@example.com designates 192.0.2.1 as permitted sender);
  dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

This shows:

  • DKIM passed with header.d=example.com
  • SPF passed with domain bounces@example.com
  • DMARC passed with header.from=example.com

All domains match, so alignment is good.

Review DMARC Reports

Aggregate reports show alignment results for each source. Look for entries where:

  • SPF passes but spf_aligned is false
  • DKIM passes but dkim_aligned is false

These indicate alignment problems even when authentication succeeds.

Fixing Alignment Issues

For SPF Alignment

Configure a custom Return-Path domain with your email service:

  1. Add the required DNS records (usually CNAME)
  2. Enable custom envelope sender in the service settings
  3. Verify the configuration
  4. Test by sending and checking headers

For DKIM Alignment

Configure your email service to sign with your domain:

  1. Generate DKIM keys in the service (or provide your own)
  2. Add the public key to your DNS
  3. Enable signing in the service settings
  4. Verify with DKIM Test

For Third-Party Services

Most major providers have documentation for custom domain setup:

  • Google Workspace: Built-in DKIM signing with your domain
  • Microsoft 365: DKIM signing available in admin console
  • Mailchimp: Custom domain authentication in account settings
  • SendGrid: Domain authentication wizard
  • Amazon SES: Easy DKIM and custom MAIL FROM

Check your provider's documentation for "custom domain authentication," "DKIM setup," or "email authentication."

When Alignment Fails for Legitimate Email

If legitimate email is failing alignment:

  1. Identify the source: Check DMARC reports to find which service is failing
  2. Check configuration: Verify SPF includes the sending IP, DKIM is properly set up
  3. Configure custom domains: Set up Return-Path and DKIM signing with your domain
  4. Test thoroughly: Send test emails and verify headers before moving to enforcement

Don't move to p=reject until you've resolved alignment issues for all legitimate email sources.

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

Related Articles