Reference

DMARC alignment: why mail can pass SPF/DKIM yet fail DMARC

The number-one source of confusion explained: a message can pass raw SPF and DKIM and still fail DMARC because neither result is aligned with the visible From: domain.

3 min readLast updated 14 June 2026

Jump to section

Two domains, not one
The DMARC rule
A worked example
Relaxed vs strict alignment
How to fix unaligned mail
Why this matters before p=reject

This is the single most confusing thing about DMARC, and the most common reason for unexpected failures in your reports: a message can pass SPF and pass DKIM, and still fail DMARC.

The reason is alignment. DMARC doesn't just ask "did SPF or DKIM pass?" — it asks "did SPF or DKIM pass for the same domain the recipient sees in the From: header?"

Two domains, not one

The domain a human reads in their mail client — the From: (or "header-from") domain — is not the domain that SPF and DKIM actually check:

SPF validates the envelope sender (the Return-Path / MAIL FROM), which is frequently a sending provider's bounce domain, e.g. bounces.mailprovider.com.
DKIM validates the signing domain (the d= value in the signature), which may be the provider's domain rather than yours.

If either of those domains differs from your From: domain, the check is said to be unaligned.

The DMARC rule

A message passes DMARC if it has at least one of:

aligned SPF — SPF passes and the envelope domain matches the From: domain, or
aligned DKIM — DKIM passes and the d= domain matches the From: domain.

If SPF and DKIM both pass on their own domains but neither is aligned with the From: domain, the message fails DMARC. DMARC only ever acts on this unaligned mail.

A worked example

You send marketing email through a third-party platform. The message header-from is news@yourdomain.com, but:

Check	Result	Domain checked	Aligned with `news@yourdomain.com`?
SPF	pass	`bounces.platform.com` (envelope)	No
DKIM	pass	`d=platform.com` (signature)	No

Both raw checks pass, yet DMARC fails because neither is aligned. In your reports this shows up as a legitimate sender failing DMARC — and if your policy were p=reject, that mail would be blocked.

Relaxed vs strict alignment

Alignment mode is set in your DMARC record:

Relaxed (the default; aspf=r, adkim=r) — a match between a domain and its parent/subdomain counts. mail.yourdomain.com aligns with yourdomain.com.
Strict (aspf=s, adkim=s) — only an exact match counts.

Most organisations should stay on relaxed alignment, which is more forgiving of subdomains used by providers.

How to fix unaligned mail

Identify the source. Use the Offenders page to find sending sources failing DMARC, with vendor detection naming the likely provider.
Align DKIM (preferred — it survives forwarding). Configure the vendor to sign with your domain so d=yourdomain.com, usually by adding their selector record to your DNS.
Align SPF where possible. Set a custom return-path / bounce domain on your domain so the envelope sender aligns, and add the vendor's include to your SPF record.
Re-check. Let new reports come in and confirm the source now shows aligned. The Fix Groups page bundles related remediation suggestions to make this faster.

Why this matters before p=reject

If you tighten your policy while legitimate senders are still unaligned, that good mail gets quarantined or rejected. The whole point of the Policy Progression Wizard is to ensure every legitimate sender is consistently aligned before you move past p=none. Get alignment right first, and the move to quarantine and reject becomes safe.