DMARC alignment is the mechanism that ties SPF and DKIM results back to the domain visible in the “From” header — the address your recipients actually see. It’s the reason SPF and DKIM can both pass while DMARC still fails, and it’s one of the most commonly misunderstood aspects of email authentication.
SPF and DKIM check authentication independently. DMARC adds the requirement that at least one of them must align with the domain in the From: header. Without alignment, an attacker could set up valid SPF and DKIM for their own domain while spoofing your domain in the From: header.
Understanding the Three Domains
To understand alignment, you need to know about the three domains involved in every email:
The “From” address your recipient sees in their email client. This is what DMARC protects.
From: sales@example.com
The “return path” used by SPF. Often different from the Header From, especially with third-party senders.
Return-Path: bounce@sender.example.com
The domain in the DKIM signature header. The signing server chooses this value.
DKIM-Signature: d=example.com; s=selector1
How DMARC Alignment Works
DMARC alignment checks whether the domain in the visible “From” address matches the domains authenticated by SPF and DKIM. Here’s how it works:
The recipient sees the email is from user@example.com. This is the Header From domain — the one DMARC cares about protecting.
SPF validates the envelope sender (Return-Path), e.g. bounce@example.com. DKIM validates the signing domain (d= tag), e.g. d=example.com. These are often different from the visible “From” address.
DMARC asks: does the domain authenticated by SPF or DKIM match the domain in the “From” header? If example.com (From) matches example.com (SPF or DKIM), that’s alignment.
DMARC passes if either SPF or DKIM is both valid and aligned. You don’t need both — just one successful alignment is enough.
Alignment Check — Visual Overview
DMARC passes if either SPF or DKIM is both valid and aligned with the Header From domain.
Relaxed vs. Strict Alignment
DMARC offers two alignment modes, controlled by the aspf (SPF alignment) and adkim (DKIM alignment) tags in your DMARC record:
| Mode | Tag Value | What It Checks | Example |
|---|---|---|---|
| Relaxed (default) | r |
Organizational domain (root domain) must match | mail.example.com aligns with example.com ✓ |
| Strict | s |
Exact domain must match (including subdomains) | mail.example.com does NOT align with example.com ✗ |
Relaxed alignment is the default and is suitable for most organisations. It allows subdomains to align with the root domain, which is necessary when using third-party email services that send from subdomains.
Strict alignment provides tighter security but requires that every sending service uses the exact same domain in its envelope sender or DKIM signature. This can break email from legitimate services that use subdomains.
Example DMARC Records
↑ Relaxed alignment for both SPF and DKIM (this is also the default if omitted)
↑ Strict alignment — both SPF and DKIM domains must exactly match the Header From
Common Alignment Failure Scenarios
These are the most frequent reasons organisations see DMARC failures despite having valid SPF and DKIM:
Your marketing platform (Mailchimp, SendGrid, HubSpot) sends emails with
From: you@yourdomain.com but the envelope sender is bounce@sendgrid.net and DKIM signs with d=sendgrid.net.Fix: Configure custom envelope domain and DKIM signing with your own domain in the sender’s settings.
When email is forwarded (e.g., university alias → personal Gmail), the forwarding server’s IP isn’t in your SPF record, breaking SPF alignment. DKIM may also break if the forwarder modifies the message body.
Fix: Ensure DKIM is properly configured (it survives most forwarding). Consider ARC for forwarding scenarios.
You send from
From: news@example.com but your email platform signs DKIM with d=mail.example.com. With strict alignment, these don’t match.Fix: Use relaxed alignment (the default), or configure the signing domain to exactly match.
Mailing lists often rewrite the From: header or modify message content, breaking both SPF and DKIM alignment. This is one of the hardest problems in email authentication.
Fix: Modern mailing list software supports ARC. Some lists rewrite From: to the list’s domain, which preserves DMARC but changes the visible sender.
How to Diagnose Alignment Issues
- Check your DMARC aggregate reports — look for rows where SPF or DKIM pass but the disposition is “quarantine” or “reject”. That’s an alignment failure.
- Examine email headers — look at the
Authentication-Resultsheader. It will showdmarc=fail (p=none dis=none)even whenspf=pass. - Compare the domains: Check the From: header domain against the Return-Path domain (SPF) and the DKIM-Signature d= domain.
- Use our Domain Checker to verify your current DMARC, SPF, and DKIM configuration.
Recommendations
- Start with relaxed alignment (the default) — it’s compatible with most third-party services
- Monitor before enforcing — use
p=noneto collect reports and identify alignment issues before moving to quarantine or reject - Configure DKIM signing with your own domain on all third-party senders — this is usually the most reliable path to alignment
- Use custom return-path domains where possible for SPF alignment with third-party senders
- Only move to strict alignment once you’ve confirmed all legitimate senders are properly configured
For a complete walkthrough of the implementation process, see How to Implement DMARC. For details on every DMARC record tag, see DMARC Record Explained.