How-to

How to align a legitimate sender that's failing DMARC using Fix Groups

When a genuine email service is failing DMARC, use the Offenders and Fix Groups pages to identify it and apply the right SPF or DKIM fix so it aligns.

3 min readLast updated 14 June 2026
Jump to section

It is normal to discover legitimate services — your CRM, invoicing tool, help desk or marketing platform — failing DMARC when you first start monitoring. They fail because their mail is not aligned with your From: domain, not because they are malicious. This guide shows how to find and fix them.

Why legitimate mail fails DMARC

A message passes DMARC if it has at least one of:

  • Aligned SPF — the sending IP is authorised and the SPF (return-path) domain matches your From: domain, or
  • Aligned DKIM — the DKIM signature verifies and the signing (d=) domain matches your From: domain.

The most common surprise is mail that passes raw SPF or DKIM but is not aligned — for example a vendor that signs with their own domain. DMARC still fails. The fix is to make at least one mechanism align.

Step 1 — Find the failing sender

Open the Offenders page. It lists every sending source failing DMARC, with vendor attribution so you can recognise known services (SendGrid, Mailgun, AWS SES, Microsoft 365, Google and more). Use search, filter and sort to locate the source. An unrecognised source may be spoofing — leave those failing; that is exactly what DMARC should block.

Step 2 — Open the matching Fix Group

Go to Fix Groups. Blankitt clusters related failures and gives you grouped remediation suggestions, so fixing one entry often resolves many failing messages at once. Each group tells you what is wrong (e.g. SPF not aligned, DKIM not signed) and what to change.

Step 3 — Apply the fix

There are two ways to make a sender align. Most vendors support at least one; DKIM alignment is generally the more robust choice.

Option A — Align via SPF

Add the vendor's sending infrastructure to your domain's SPF record, usually via their published include:

example.com.  IN  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

SPF aligns when the return-path domain matches your From: domain — many vendors require you to set a custom return-path (a CNAME they provide) for this.

Option B — Align via DKIM

Enable DKIM signing in the vendor's dashboard and publish the public key they give you under a selector in your DNS:

selector1._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."

DKIM aligns when the signing d= domain matches your From: domain — confirm the vendor signs as your domain, not theirs. The domain detail page's DKIM selector management helps you track selectors.

Step 4 — Verify

After DNS changes propagate, wait for the next aggregate reports (typically daily) and recheck Offenders. The source should now show passing/aligned. The domain detail page's source-IP breakdown with alignment % and the Compliance Scorecard will reflect the improvement.

Step 5 — Repeat before tightening policy

Work through every legitimate sender until they all align. Only then advance your policy from p=none toward quarantine and reject using the Policy Progression Wizard.

Tip

If a sender truly cannot be aligned, the safest position is to stop sending your-domain mail through it, or use a subdomain with its own policy — never weaken your main domain's policy to accommodate one service.

Still stuck? Email support or open the support widget in the bottom-right.