Understanding DMARC Alignment
Learn what DMARC alignment means, how SPF and DKIM alignment work, and why SPF or DKIM can pass while DMARC still fails.
Introduction
DMARC alignment is one of the most important parts of email authentication. A message does not pass DMARC only because SPF or DKIM passes. At least one of them must also align with the visible From domain.
This matters because many email services use different technical domains for Return-Path, bounce handling or DKIM signing. If those domains do not align with the domain users see in the From address, DMARC can fail even when SPF or DKIM shows a pass result.
Quick answer
DMARC alignment means that the domain authenticated by SPF or DKIM must match, or be related to, the visible From domain. A message can pass DMARC if SPF passes and aligns, or if DKIM passes and aligns. SPF or DKIM passing alone is not always enough.
DMARC alignment
DMARC alignment checks whether the authenticated domain matches the domain shown in the visible From address.
billing@example.com
For DMARC to pass, either SPF must pass using an aligned Return-Path domain, or DKIM must pass using an aligned signing domain.
This is why DMARC can fail even when SPF or DKIM technically passes.
Visible From domain
The visible From domain is the domain users see in their email client.
From: Billing Team <billing@example.com>
Visible From domain: example.com. DMARC uses this visible From domain as the reference point for alignment. SPF and DKIM must authenticate a domain that aligns with it.
The visible From domain is not always the same as the technical Return-Path or DKIM signing domain.
SPF alignment
SPF alignment compares the domain used for SPF authentication with the visible From domain. SPF usually authenticates the Return-Path, also called the envelope sender or bounce domain.
Visible From: billing@example.com
Return-Path: bounce@example.com
SPF result: pass
DMARC SPF alignment: aligned
Visible From: billing@example.com
Return-Path: bounce@mailservice.com
SPF result: pass
DMARC SPF alignment: not aligned
This is a common reason DMARC fails even when SPF passes.
DKIM alignment
DKIM alignment compares the DKIM signing domain with the visible From domain.
Visible From: billing@example.com
DKIM signing domain: example.com
DKIM result: pass
DMARC DKIM alignment: aligned
Visible From: billing@example.com
DKIM signing domain: emailprovider.com
DKIM result: pass
DMARC DKIM alignment: not aligned
Many providers allow custom DKIM signing domains. Enabling custom DKIM is often the best way to fix DMARC alignment.
Relaxed vs strict alignment
DMARC supports relaxed and strict alignment modes.
Relaxed alignment
- Subdomains can align with the parent domain.
- Example: mail.example.com aligns with example.com.
- adkim controls DKIM alignment mode.
- aspf controls SPF alignment mode.
adkim=r; aspf=r
Strict alignment
- The domains must match exactly.
- Example: example.com aligns with example.com.
- mail.example.com does not align with example.com.
- Use only when exact matching is required.
adkim=s; aspf=s
Most beginner setups use relaxed alignment unless there is a specific security reason to use strict alignment.
Why this matters
DMARC alignment matters because it connects authentication results to the domain users actually see. Without alignment, a third-party domain could pass SPF or DKIM, but that does not prove it was authorized to send as your visible From domain.
Alignment is what makes DMARC stronger than simply checking whether SPF or DKIM passed.
How to check alignment
Use DMARC Checker to inspect the domain’s DMARC policy, alignment tags and related SPF/DKIM setup.
When checking alignment, review
These seven checks help identify SPF and DKIM alignment problems.
Visible From domain
The domain shown in the email From address.
SPF domain
The Return-Path or envelope sender domain used for SPF.
SPF result
Whether SPF passes.
SPF alignment
Whether the SPF-authenticated domain aligns with the visible From domain.
DKIM signing domain
The domain shown in the DKIM d= value.
DKIM result
Whether DKIM passes.
DKIM alignment
Whether the DKIM signing domain aligns with the visible From domain.
Check DMARC alignment
Use DMARC Checker to review policy, alignment settings and authentication records.
Common problems
SPF passes but does not align
MediumThe sending provider’s Return-Path domain passes SPF, but it does not match the visible From domain.
Next step: Configure a custom bounce/Return-Path domain or rely on aligned DKIM.
DKIM passes but does not align
MediumThe provider signs mail with its own domain instead of your domain.
Next step: Enable custom DKIM signing for your domain.
Neither SPF nor DKIM aligns
HighThe message cannot pass DMARC because no aligned authentication method passes.
Next step: Configure SPF or DKIM alignment for the sending provider.
Third-party sender not configured
HighA CRM, marketing tool or transactional provider sends mail as your domain without aligned authentication.
Next step: Set up custom DKIM and provider-recommended SPF/Return-Path settings.
Strict alignment enabled too early
MediumStrict alignment can fail mail that would pass under relaxed alignment.
Next step: Use relaxed alignment unless strict alignment is intentionally required.
Subdomain policy misunderstood
LowSubdomains may have separate From domains and alignment behavior.
Next step: Review subdomain DMARC policy and provider configuration.
DMARC reports show unknown aligned failures
MediumLegitimate senders may not be configured correctly or unauthorized senders may be spoofing the domain.
Next step: Review aggregate reports and identify each sending source.
How to fix alignment
-
Step 1: Identify the sending provider
Find which provider sent the message: mailbox provider, CRM, marketing platform, website form or transactional service.
-
Step 2: Check SPF alignment
Review the Return-Path domain and compare it with the visible From domain.
-
Step 3: Check DKIM alignment
Review the DKIM d= signing domain and compare it with the visible From domain.
-
Step 4: Enable custom DKIM
For third-party providers, custom DKIM is often the most reliable alignment fix.
-
Step 5: Configure custom Return-Path if needed
Some providers support a custom bounce or Return-Path domain that can align SPF.
-
Step 6: Keep DMARC at p=none while testing
Do not move to quarantine or reject until legitimate senders align.
-
Step 7: Review DMARC reports
Use aggregate reports to confirm which sources pass or fail alignment.
Alignment examples
From: billing@example.com
DKIM d=example.com
DKIM result: pass
DMARC result: pass
From: billing@example.com
Return-Path: bounce@mailservice.com
SPF result: pass
DMARC SPF alignment: fail
From: billing@example.com
DKIM d=emailprovider.com
DKIM result: pass
DMARC DKIM alignment: fail
From: billing@example.com
DKIM d=mail.example.com
DKIM result: pass
DMARC result: pass under relaxed alignment
These examples are simplified. Real message headers may include multiple DKIM signatures and provider-specific Return-Path domains.
Third-party senders
Third-party senders are the most common source of alignment problems. These include CRMs, newsletter platforms, billing tools, support desks and transactional email services.
- Does it support custom DKIM?
- Does it support a custom Return-Path or bounce domain?
- Does it send using your visible From domain?
- Does it pass DKIM alignment?
- Does it appear in DMARC reports?
If a provider cannot align SPF, DKIM alignment may still allow DMARC to pass.
Frequently asked questions
Can SPF pass but DMARC fail?
Yes. SPF can pass but fail DMARC if the SPF-authenticated domain does not align with the visible From domain.
Can DKIM pass but DMARC fail?
Yes. DKIM can pass but fail DMARC if the DKIM signing domain does not align with the visible From domain.
Does DMARC require both SPF and DKIM to pass?
No. DMARC can pass if either SPF or DKIM passes and aligns.
What is the visible From domain?
It is the domain users see in the From address, such as example.com in billing@example.com.
What is relaxed alignment?
Relaxed alignment allows subdomains to align with the parent domain, such as mail.example.com aligning with example.com.
How do I fix third-party sender alignment?
Enable custom DKIM and, if supported, configure a custom Return-Path or bounce domain.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!