FAQ

A legitimate sender is failing DMARC - why, and how do I fix it?

A genuine sender can pass raw SPF or DKIM yet still fail DMARC because neither result is aligned with your From: domain. Here's how to spot it and fix alignment.

2 min readLast updated 14 June 2026
Jump to section

This is the single most common surprise in DMARC. A message can pass raw SPF and raw DKIM checks and still fail DMARC - because DMARC doesn't care that the checks passed, it cares whether they're aligned with your From: domain.

Pass vs. alignment

  • SPF pass = the sending IP is authorised by some domain's SPF record.
  • SPF alignment = that SPF (envelope/return-path) domain matches your From: domain.
  • DKIM pass = the signature verifies.
  • DKIM alignment = the signing (d=) domain matches your From: domain.

A message passes DMARC if it has at least one of aligned SPF or aligned DKIM. DMARC only ever acts on unaligned mail - so a vendor that sends "on your behalf" can show green SPF/DKIM in raw terms yet fail DMARC because everything is aligned to their domain, not yours.

How to diagnose it in Blankitt DMARC

  1. Open the Offenders page to find the failing sending source. We attribute the source IP / header-from to a known vendor (SendGrid, Mailgun, AWS SES, Microsoft 365, Google, and so on) so you can recognise whether it's legitimate.
  2. Open the relevant Domain detail page and look at the source-IP breakdown with alignment %. A source with high pass rates but low alignment is your culprit.
  3. Check the Compliance Scorecard and the Fix Groups page for the specific remediation grouped by vendor.

How to fix alignment

Option A - fix SPF alignment. Configure the vendor to use a return-path/envelope domain under your own domain (often via a custom MAIL FROM or bounce subdomain), and add their servers to your SPF. The SPF flattening tool on the Domain detail page shows the recursive include tree so you can confirm the vendor is included.

Option B - fix DKIM alignment (usually preferred). Have the vendor sign with a d= value on your domain, and publish their DKIM public key under your domain's selector (selector._domainkey.yourdomain.com). Manage your selectors under DKIM selector management on the Domain detail page. Once the vendor signs as your domain, DKIM aligns.

You only need one of the two to align for the message to pass DMARC - but aligning both is more robust.

Don't move policy until they're aligned

This is exactly why you start at p=none: identify and align every legitimate sender first. The Policy Progression Wizard tracks readiness and won't recommend moving to quarantine or reject until your legitimate mail is consistently aligned.

Tip: if the "sender" is actually spoofed or unauthorised, that's a good failure - DMARC is doing its job. Vendor attribution on the Offenders page helps you tell the two apart.

Still stuck? Email support or open the support widget in the bottom-right.