- DMARC alignment checks whether the domain authenticated by SPF or DKIM matches the domain in your visible From header. Passing SPF or DKIM alone is not enough; the domains must also align.
- Relaxed alignment allows subdomains to match the organizational domain (e.g., mail.example.com aligns with example.com). Strict alignment requires an exact domain match.
- Most DMARC failures in third-party sending are caused by alignment issues, not authentication failures. Your ESP may pass SPF and DKIM but still fail DMARC because the domains do not align with your From address.
- Fixing alignment typically means configuring your ESP to use your domain for DKIM signing (d= tag) and/or your domain for the Return-Path (envelope sender).
You have set up SPF, DKIM, and DMARC on your domain. Your emails pass SPF. They pass DKIM. But your DMARC reports still show failures. What is going wrong?
In most cases, the answer is alignment. DMARC does not just check whether SPF and DKIM pass; it checks whether the domains used by those protocols match the domain in your visible From address. This matching process, called alignment, is where most DMARC implementations break down, especially when using third-party email service providers.
What Is DMARC Alignment?
DMARC alignment is the requirement that the domain authenticated by SPF or DKIM must match (or be related to) the domain in the From header that your recipients see. Without alignment, an email can pass both SPF and DKIM and still fail DMARC.
There are two types of alignment DMARC checks, and a message must pass at least one of them:
SPF Alignment
SPF alignment compares two domains: the domain in the Return-Path (also called the envelope sender or MAIL FROM address) and the domain in the visible From header. If these domains match (or are related, depending on alignment mode), SPF alignment passes.
Return-Path: bounce-12345@mail.example.com
From: newsletter@example.com
SPF checks: Is the sending IP authorized for mail.example.com? (SPF pass/fail)
SPF alignment: Does mail.example.com match example.com? (alignment pass/fail)DKIM Alignment
DKIM alignment compares the domain in the DKIM signature's d= tag with the domain in the visible From header. If these domains match (or are related), DKIM alignment passes.
DKIM-Signature: d=example.com; s=selector1; ...
From: newsletter@example.com
DKIM checks: Does the signature validate? (DKIM pass/fail)
DKIM alignment: Does d=example.com match example.com? (alignment pass/fail)Tip: DMARC requires at least one alignment to pass: either SPF alignment or DKIM alignment. You do not need both. In practice, DKIM alignment is more reliable because DKIM signatures survive forwarding, while SPF often breaks when mail is relayed.
Strict vs. Relaxed Alignment
DMARC supports two alignment modes, controlled by the aspf and adkim tags in your DMARC record:
| Mode | DMARC Tag | Match Requirement | Example |
|---|---|---|---|
| Relaxed (default) | aspf=r / adkim=r | Organizational domains must match (subdomains OK) | mail.example.com aligns with example.com |
| Strict | aspf=s / adkim=s | Exact domain match required | mail.example.com does NOT align with example.com |
Relaxed Alignment (Default)
If you do not specify aspf or adkim in your DMARC record, the default is relaxed for both. Relaxed alignment requires only that the organizational domain (the registered domain) matches. Subdomains are allowed.
Examples that pass relaxed alignment:
- From: user@example.com with DKIM d=example.com (exact match)
- From: user@example.com with DKIM d=mail.example.com (subdomain of same org domain)
- From: user@news.example.com with Return-Path: bounce@example.com (same org domain)
Strict Alignment
Strict alignment requires that the domains match exactly. No subdomain matching is permitted. This provides stronger protection against subdomain spoofing but is harder to implement, especially with third-party senders.
Examples that fail strict alignment (but would pass relaxed):
- From: user@example.com with DKIM d=mail.example.com (subdomain mismatch)
- From: user@news.example.com with Return-Path: bounce@example.com (subdomain mismatch)
Google recommends relaxed alignment for most senders. Strict alignment is typically only necessary for organizations with specific security requirements where preventing subdomain spoofing is critical. Most senders should start with relaxed alignment and only move to strict after confirming all legitimate mail streams pass.
Common DMARC Alignment Failures
Third-Party ESP Using Their Own Domain
This is the most common alignment failure. You send email through a marketing platform like Mailchimp, SendGrid, or HubSpot. The email passes SPF because the ESP's sending IPs are authorized for the ESP's domain. But the Return-Path uses the ESP's domain (e.g., bounce.mcsv.net), not yours. If the ESP also signs DKIM with their own domain (d=mcsv.net) instead of yours, both SPF and DKIM alignment fail.
Fix: Configure your ESP to use custom DKIM signing with your domain. Most ESPs support this through a CNAME record you add to your DNS. For SPF alignment, some ESPs allow custom Return-Path domains, though this is less common. Since DMARC only requires one alignment to pass, getting DKIM alignment right is usually sufficient.
Forwarded Email Breaking SPF
When a recipient's server forwards your email, the forwarding server sends it from its own IP, which is not in your SPF record. SPF fails, and SPF alignment fails with it. If DKIM alignment is not configured, DMARC fails for the forwarded copy.
Fix: Always configure DKIM with your own domain so that DKIM alignment passes even when SPF breaks due to forwarding. This is why DKIM alignment is considered more reliable than SPF alignment for DMARC.
Subdomain Mismatch with Strict Mode
If you set adkim=s (strict DKIM alignment) and your ESP signs DKIM with d=mail.example.com while your From address is user@example.com, DKIM alignment fails. The organizational domains are the same, but strict mode requires an exact match.
Fix: Either switch to relaxed alignment (adkim=r) or configure your ESP to sign DKIM with exactly the same domain used in your From address.
Multiple Sending Services with Inconsistent Configuration
Organizations often use multiple email services: one for marketing, one for transactional, one for internal notifications. If even one of these services is not configured for DKIM alignment with your domain, DMARC reports will show failures for that stream.
Fix: Audit every sending service that sends email using your domain in the From address. Ensure each one is configured for DKIM signing with your domain. Use your DMARC checker and DKIM checker to verify each service's configuration.
Start your DMARC deployment at p=none and analyze your aggregate reports for alignment failures before moving to enforcement. The reports will show you exactly which sending sources are failing alignment so you can fix them one by one. Use our DMARC record generator to create your initial record.
How to Check Your DMARC Alignment
DMARC Aggregate Reports
Your DMARC aggregate reports (sent to the address in your rua= tag) contain alignment results for every message. Look for the <policy_evaluated> section in the XML, which shows the DMARC disposition along with SPF and DKIM alignment status.
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>In this example, DKIM alignment passed but SPF alignment failed. Since DMARC requires only one to pass, the overall DMARC result is a pass. But if DKIM also showed "fail" here, the message would fail DMARC entirely.
Email Headers
You can also check alignment by viewing the full headers of a received email. Look for the Authentication-Results header, which shows the DMARC result along with alignment details:
Authentication-Results: mx.google.com;
dkim=pass header.d=example.com;
spf=pass (sender IP is authorized) smtp.mailfrom=bounce.example.com;
dmarc=pass (p=REJECT) header.from=example.comUse our header analyzer to parse these results automatically.
Configuring Alignment for Common ESPs
The process for fixing DKIM alignment varies by provider, but the general approach is the same: add CNAME records to your DNS that point to your ESP's DKIM key, allowing the ESP to sign emails with your domain.
For SPF alignment, add your ESP's sending IPs or include mechanism to your SPF record. This ensures that SPF checks pass for your domain, not the ESP's domain.
After making changes, send test emails and verify alignment using your DMARC aggregate reports or a header analysis tool. Allow 48-72 hours for DNS changes to propagate fully before evaluating results.
Which Alignment Mode Should You Use?
For most organizations, relaxed alignment is the right choice. It provides strong DMARC protection while accommodating the reality that many ESPs use subdomains for DKIM signing and Return-Path addresses. Relaxed alignment still prevents cross-domain spoofing; it only allows subdomain variations within the same organizational domain.
Consider strict alignment only if you need to prevent subdomain spoofing specifically (e.g., preventing someone from using fake-subdomain.yourdomain.com to impersonate you) and you have confirmed that all legitimate mail streams use exact domain matching.
Frequently Asked Questions
Yes. DMARC requires alignment, not just authentication. If SPF passes for domain-A.com but your From address uses domain-B.com, SPF alignment fails. If DKIM is signed with domain-C.com but your From uses domain-B.com, DKIM alignment also fails. Both protocols can pass their own checks while still failing DMARC alignment.
Relaxed alignment is the default for both SPF (aspf=r) and DKIM (adkim=r). If you do not include the aspf or adkim tags in your DMARC record, relaxed alignment is applied. This means subdomains of your organizational domain will pass alignment.
No. DMARC requires at least one of SPF or DKIM to both pass authentication and pass alignment. If either one achieves both, the message passes DMARC. Best practice is to configure both SPF and DKIM so that DMARC can pass even if one mechanism fails due to forwarding or message modification.
Configure your ESP to sign emails with DKIM using your domain instead of theirs. Most ESPs support this by having you add CNAME records to your DNS that point to their DKIM keys. Once configured, the DKIM d= tag will use your domain, achieving DKIM alignment with your From address. Check your ESP's documentation for custom domain authentication setup.