DMARCGuardian Practical help for DMARC, SPF, DKIM, and BIMI.

Blog · Dmarc

SPF Passes, DKIM Passes, But DMARC Still Fails - Why Alignment Matters

By Dmarcguardian Editorial Team ·

You run a check on your email authentication. SPF: pass. DKIM: pass. DMARC: fail.

How is that possible? Shouldn't passing SPF and DKIM mean passing DMARC?

No. And this confusion trips up a lot of people setting up email authentication for the first time.

The common misconception

DMARC doesn't just check whether SPF and DKIM pass individually. It checks whether the domains used in SPF and DKIM match the domain in your From header.

This is called alignment. Without alignment, SPF and DKIM can both pass while DMARC still fails.

Here's why: SPF authorizes a sending server for a specific domain. DKIM validates a signature for a specific signing domain. DMARC requires that at least one of those domains, the one that passed, matches the domain in the From address that recipients see.

What alignment actually means

DMARC has two alignment modes: relaxed and strict.

Relaxed alignment means the organizational domains match. subdomain.yourdomain.com and another.yourdomain.com are considered aligned because the root domain is the same.

Strict alignment means the domains must be identical. subdomain.yourdomain.com and yourdomain.com would NOT be aligned under strict mode.

Most organizations use relaxed alignment. Strict alignment is hard to maintain because everything has to send from exactly the same subdomain.

Why alignment fails in practice

Example 1: Third-party email service
Your CRM sends appointment reminders as noreply@yourdomain.com but the SPF passes for the CRM's own IPs and DKIM is signed with the CRM's own domain. The From header shows yourdomain.com but neither SPF nor DKIM are aligned to yourdomain.com. DMARC fails.

Example 2: Mailing list forwarding
A message sent from hello@vendor.com to a mailing list is forwarded to you. The mailing list re-injects it from their own infrastructure. SPF passes for the list's domain. DKIM might pass for the list's domain. But the From header still shows vendor.com. If the From header showed your domain instead, DMARC alignment would fail.

Example 3: Marketing platform using shared sending
Your marketing platform sends from ip-2387@sendingplatform.com as the envelope sender, but the From header shows you@yourdomain.com. SPF passes for sendingplatform.com. DKIM passes for sendingplatform.com. The From domain is yourdomain.com. Alignment fails.

How to check if your mail is aligned

Your DMARC aggregate reports show alignment results. Specifically look for entries where SPF or DKIM pass individually but the disposition is "fail" - this typically means alignment failed even though the check passed.

A dkim_align or spf_align field of "pass" means alignment passed. "fail" means the domains didn't match. If you're seeing SPF pass and DKIM pass but both alignment fields show fail, that's your problem.

If you're running multiple domains or sending at any volume, reading raw XML for every report isn't practical. You need a provider like DMARCFlow that processes your aggregate reports and shows alignment pass rates per domain, including cases where DKIM passes but isn't aligned to your From domain, so you can see the problem without parsing individual report files.

What to do when alignment fails

Fix the DKIM signing domain (preferred): Have your third-party sender sign with your domain instead of theirs. Many email providers offer this via custom DKIM, you add a DNS record they generate, and they sign with your domain. When DKIM is aligned to your From domain, DMARC passes with just the DKIM factor.

Fix the SPF sending domain: If possible, have the third party send from your domain's SPF rather than their own. This is harder to implement but possible with some providers.

Use subdomain isolation: Move problematic third-party senders to a subdomain. Set up their authentication for the subdomain, not your main domain. Your main domain stays hardlocked; the subdomain has its own relaxed DMARC policy.

Keep p=none while troubleshooting: Don't move to p=quarantine or p=reject until alignment is consistently passing. You'll break legitimate mail if you enforce a policy while alignment is still broken.

Common FAQ

Q: Does SPF passing mean my domain is aligned?
A: SPF passing means the sending server is authorized for whatever domain the SPF record covers. It doesn't automatically mean alignment to your From domain.

Q: Can DMARC pass with only SPF or only DKIM aligned?
A: Yes. DMARC requires at least one alignment factor to pass (SPF or DKIM), not both. This is called "one-factor alignment."

Q: Why does relaxed alignment exist?
A: Because strict alignment is impractical for most organizations. Subdomains, marketing platforms, and forwarding services all use different sending domains. Relaxed alignment lets them coexist as long as the organizational domain matches.

Understanding alignment is the step most people skip when learning about DMARC. It explains why you can have perfect SPF and DKIM records and still see DMARC failures - the domains don't match, and that's what DMARC is checking.