What is DMARC Alignment?

When an email arrives, DMARC doesn’t just ask “did the security checks pass?” — it also asks “do those checks actually match the sender address the recipient sees?” This matching step, called alignment, is the reason your emails can pass individual security checks but still fail DMARC. It’s one of the most commonly misunderstood parts of email protection, and it’s the piece that actually stops impersonation.

⚠️ Why This Matters
The authorised sender list (SPF) and the digital seal (DKIM) each verify something independently. DMARC adds a crucial extra question: does the verified domain actually match the “From” address that the recipient sees? Without this matching step, a scammer could set up perfectly valid security checks for their own domain while putting your domain in the “From” address.

The Three Email Addresses Involved

To understand matching (alignment), you need to know that every email actually carries three different “from” addresses — and they don’t always agree:

1. The “From” Address (what your recipient sees)
This is the address shown in your recipient’s inbox. It’s what DMARC is designed to protect — it’s the address people trust and make decisions based on.
From: sales@example.com
2. The Return Address (used by SPF)
A hidden “behind the scenes” address used for bounce messages. SPF checks this address — and it’s often different from the visible “From” address, especially with third-party sending services.
Return-Path: bounce@sender.example.com
3. The Signing Domain (used by DKIM)
The domain that applied the digital seal (DKIM signature). The server that sends the email chooses this value.
DKIM-Signature: d=example.com; s=selector1

How Matching (Alignment) Works

DMARC checks whether the domain that was verified by SPF or DKIM actually matches the domain in the visible “From” address. Think of it like checking ID at the door — it’s not enough to have a valid ID; the name on the ID has to match the name on the guest list.

1
An email arrives claiming to be from your domain

The recipient sees the email is from user@example.com. This visible “From” address is what DMARC protects.

2
SPF and DKIM each verify a different address

SPF checks the hidden return address (e.g. bounce@example.com). DKIM checks the signing domain (e.g. d=example.com). These are often different from the visible “From” address.

3
DMARC asks: do those verified domains match the “From” address?

This is the alignment check. If the domain verified by SPF or DKIM matches the domain in the visible “From” address — for example, both are example.com — then they’re aligned (matching).

4
Only one needs to match for DMARC to pass

DMARC passes if either SPF or DKIM is both valid and matches the “From” domain. You don’t need both — just one successful match is enough.

Why is this important? Without alignment, a scammer could set up valid SPF and DKIM for their own server and domain, while putting your company name in the “From” address that recipients see. Alignment closes this loophole by making sure the verified domain actually matches what people see in their inbox.

How Alignment Works — Visual Overview

Visible “From” address: user@example.com

Return address (checked by SPF): bounce@example.com

Signing domain (checked by DKIM): d=example.com

✓ SPF Matches example.com = example.com

✓ DKIM Matches example.com = example.com

At least one matches? ✓ DMARC PASS

DMARC passes if either SPF or DKIM is both valid and matches the visible “From” domain.

Relaxed vs. Strict Matching

DMARC gives you two levels of strictness for matching, controlled by the aspf (SPF matching) and adkim (DKIM matching) settings in your DMARC record:

Mode Setting What It Checks Example
Relaxed (default) r The main domain must match (subdomains are OK) mail.example.com matches example.com
Strict s The exact domain must match (subdomains don’t count) mail.example.com does NOT match example.com

Relaxed matching is the default and works for most businesses. It allows subdomains (like mail.example.com) to count as a match for the main domain (example.com), which is important when you use third-party services that send from subdomains.

Strict matching provides tighter security but requires every sending service to use the exact same domain in its return address or digital seal. This can break legitimate emails from services that use subdomains — so only use it if you’re sure everything lines up.

Example DMARC Records

v=DMARC1; p=reject; aspf=r; adkim=r; rua=mailto:reports@example.com

↑ Relaxed matching for both SPF and DKIM (this is also the default if you leave these settings out)

v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:reports@example.com

↑ Strict matching — both SPF and DKIM domains must exactly match the visible “From” address

Why Alignment Fails (and How to Fix It)

These are the most common reasons businesses see DMARC failures even when their SPF and DKIM checks pass individually:

1. Third-Party Services Using Their Own Domain

Your marketing platform (Mailchimp, SendGrid, HubSpot, etc.) sends emails with your domain in the “From” address — but behind the scenes, the return address and digital seal use their domain (e.g. sendgrid.net). SPF and DKIM pass for sendgrid.net, but they don’t match your domain.

Fix: Set up a custom return address and DKIM signing using your own domain in the sending service’s settings. Most major platforms support this.
2. Email Forwarding

When someone forwards your email (e.g. a university alias that redirects to personal Gmail), the forwarding server’s address isn’t in your authorised sender list, so SPF fails. DKIM may also break if the forwarder changes the message content (like adding a footer).

Fix: Make sure DKIM is properly set up — it usually survives forwarding. This is why having DKIM as a backup is so important.
3. Subdomain Mismatch (with Strict Matching)

You send from From: news@example.com but your email service signs the digital seal with d=mail.example.com. With strict matching, these don’t count as the same domain.

Fix: Use relaxed matching (the default), or configure the signing domain to exactly match your “From” domain.
4. Mailing Lists

Mailing lists often rewrite the “From” address or change the message content, which can break both SPF and DKIM alignment. This is one of the trickiest problems in email protection.

Fix: Modern mailing list software handles this better. Some lists rewrite the “From” address to the list’s own domain, which preserves DMARC but changes who the email appears to be from.

How to Find Alignment Problems

  1. Check your DMARC reports — look for emails where SPF or DKIM passed individually but the overall result was “fail”. That’s an alignment problem.
  2. Look at the email headers — the Authentication-Results header will show dmarc=fail even when spf=pass — this means alignment failed.
  3. Compare the domains: Look at the visible “From” address and compare it to the return address (for SPF) and the signing domain (for DKIM). Do they match?
  4. Use our Domain Checker to verify your current DMARC, SPF, and DKIM setup.

Recommendations

  • Start with relaxed matching (the default) — it works with most third-party services out of the box
  • Monitor before enforcing — use monitoring mode (p=none) to find alignment problems before turning on blocking
  • Set up DKIM signing with your own domain on all third-party senders — this is usually the most reliable way to get alignment right
  • Use custom return addresses where possible for SPF alignment with third-party senders
  • Only switch to strict matching once you’ve confirmed all your legitimate email services are properly configured

For a complete setup walkthrough, see How to Implement DMARC. For details on every DMARC record setting, see DMARC Record Explained.