Understanding DMARC Alignment

Learn what DMARC alignment means, how SPF and DKIM alignment work, and why SPF or DKIM can pass while DMARC still fails.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

DMARC alignment is one of the most important parts of email authentication. A message does not pass DMARC only because SPF or DKIM passes. At least one of them must also align with the visible From domain.

This matters because many email services use different technical domains for Return-Path, bounce handling or DKIM signing. If those domains do not align with the domain users see in the From address, DMARC can fail even when SPF or DKIM shows a pass result.

Quick answer

Quick answer

DMARC alignment means that the domain authenticated by SPF or DKIM must match, or be related to, the visible From domain. A message can pass DMARC if SPF passes and aligns, or if DKIM passes and aligns. SPF or DKIM passing alone is not always enough.

DMARC alignment

DMARC alignment checks whether the authenticated domain matches the domain shown in the visible From address.

Example visible From address
billing@example.com

For DMARC to pass, either SPF must pass using an aligned Return-Path domain, or DKIM must pass using an aligned signing domain.

This is why DMARC can fail even when SPF or DKIM technically passes.

Visible From domain

The visible From domain is the domain users see in their email client.

Example
From: Billing Team <billing@example.com>

Visible From domain: example.com. DMARC uses this visible From domain as the reference point for alignment. SPF and DKIM must authenticate a domain that aligns with it.

The visible From domain is not always the same as the technical Return-Path or DKIM signing domain.

SPF alignment

SPF alignment compares the domain used for SPF authentication with the visible From domain. SPF usually authenticates the Return-Path, also called the envelope sender or bounce domain.

Aligned SPF example
Visible From: billing@example.com
Return-Path: bounce@example.com
SPF result: pass
DMARC SPF alignment: aligned
SPF pass but not aligned
Visible From: billing@example.com
Return-Path: bounce@mailservice.com
SPF result: pass
DMARC SPF alignment: not aligned

This is a common reason DMARC fails even when SPF passes.

DKIM alignment

DKIM alignment compares the DKIM signing domain with the visible From domain.

Aligned DKIM example
Visible From: billing@example.com
DKIM signing domain: example.com
DKIM result: pass
DMARC DKIM alignment: aligned
DKIM pass but not aligned
Visible From: billing@example.com
DKIM signing domain: emailprovider.com
DKIM result: pass
DMARC DKIM alignment: not aligned

Many providers allow custom DKIM signing domains. Enabling custom DKIM is often the best way to fix DMARC alignment.

Relaxed vs strict alignment

DMARC supports relaxed and strict alignment modes.

Relaxed alignment

  • Subdomains can align with the parent domain.
  • Example: mail.example.com aligns with example.com.
  • adkim controls DKIM alignment mode.
  • aspf controls SPF alignment mode.

adkim=r; aspf=r

Strict alignment

  • The domains must match exactly.
  • Example: example.com aligns with example.com.
  • mail.example.com does not align with example.com.
  • Use only when exact matching is required.

adkim=s; aspf=s

Most beginner setups use relaxed alignment unless there is a specific security reason to use strict alignment.

Why this matters

Why this matters

DMARC alignment matters because it connects authentication results to the domain users actually see. Without alignment, a third-party domain could pass SPF or DKIM, but that does not prove it was authorized to send as your visible From domain.

Alignment is what makes DMARC stronger than simply checking whether SPF or DKIM passed.

How to check alignment

Use DMARC Checker to inspect the domain’s DMARC policy, alignment tags and related SPF/DKIM setup.

When checking alignment, review

These seven checks help identify SPF and DKIM alignment problems.

Visible From domain

The domain shown in the email From address.

SPF domain

The Return-Path or envelope sender domain used for SPF.

SPF result

Whether SPF passes.

SPF alignment

Whether the SPF-authenticated domain aligns with the visible From domain.

DKIM signing domain

The domain shown in the DKIM d= value.

DKIM result

Whether DKIM passes.

DKIM alignment

Whether the DKIM signing domain aligns with the visible From domain.

Check DMARC alignment

Use DMARC Checker to review policy, alignment settings and authentication records.

Run DMARC Check →

Common problems

SPF passes but does not align

Medium

The sending provider’s Return-Path domain passes SPF, but it does not match the visible From domain.

Next step: Configure a custom bounce/Return-Path domain or rely on aligned DKIM.

DKIM passes but does not align

Medium

The provider signs mail with its own domain instead of your domain.

Next step: Enable custom DKIM signing for your domain.

Neither SPF nor DKIM aligns

High

The message cannot pass DMARC because no aligned authentication method passes.

Next step: Configure SPF or DKIM alignment for the sending provider.

Third-party sender not configured

High

A CRM, marketing tool or transactional provider sends mail as your domain without aligned authentication.

Next step: Set up custom DKIM and provider-recommended SPF/Return-Path settings.

Strict alignment enabled too early

Medium

Strict alignment can fail mail that would pass under relaxed alignment.

Next step: Use relaxed alignment unless strict alignment is intentionally required.

Subdomain policy misunderstood

Low

Subdomains may have separate From domains and alignment behavior.

Next step: Review subdomain DMARC policy and provider configuration.

DMARC reports show unknown aligned failures

Medium

Legitimate senders may not be configured correctly or unauthorized senders may be spoofing the domain.

Next step: Review aggregate reports and identify each sending source.

How to fix alignment

  1. Step 1: Identify the sending provider

    Find which provider sent the message: mailbox provider, CRM, marketing platform, website form or transactional service.

  2. Step 2: Check SPF alignment

    Review the Return-Path domain and compare it with the visible From domain.

  3. Step 3: Check DKIM alignment

    Review the DKIM d= signing domain and compare it with the visible From domain.

  4. Step 4: Enable custom DKIM

    For third-party providers, custom DKIM is often the most reliable alignment fix.

  5. Step 5: Configure custom Return-Path if needed

    Some providers support a custom bounce or Return-Path domain that can align SPF.

  6. Step 6: Keep DMARC at p=none while testing

    Do not move to quarantine or reject until legitimate senders align.

  7. Step 7: Review DMARC reports

    Use aggregate reports to confirm which sources pass or fail alignment.

Alignment examples

Example 1: DKIM aligned
From: billing@example.com
DKIM d=example.com
DKIM result: pass
DMARC result: pass
Example 2: SPF passes but not aligned
From: billing@example.com
Return-Path: bounce@mailservice.com
SPF result: pass
DMARC SPF alignment: fail
Example 3: DKIM passes but not aligned
From: billing@example.com
DKIM d=emailprovider.com
DKIM result: pass
DMARC DKIM alignment: fail
Example 4: relaxed subdomain alignment
From: billing@example.com
DKIM d=mail.example.com
DKIM result: pass
DMARC result: pass under relaxed alignment

These examples are simplified. Real message headers may include multiple DKIM signatures and provider-specific Return-Path domains.

Third-party senders

Third-party senders are the most common source of alignment problems. These include CRMs, newsletter platforms, billing tools, support desks and transactional email services.

  • Does it support custom DKIM?
  • Does it support a custom Return-Path or bounce domain?
  • Does it send using your visible From domain?
  • Does it pass DKIM alignment?
  • Does it appear in DMARC reports?

If a provider cannot align SPF, DKIM alignment may still allow DMARC to pass.

Frequently asked questions

Can SPF pass but DMARC fail?

Yes. SPF can pass but fail DMARC if the SPF-authenticated domain does not align with the visible From domain.

Can DKIM pass but DMARC fail?

Yes. DKIM can pass but fail DMARC if the DKIM signing domain does not align with the visible From domain.

Does DMARC require both SPF and DKIM to pass?

No. DMARC can pass if either SPF or DKIM passes and aligns.

What is the visible From domain?

It is the domain users see in the From address, such as example.com in billing@example.com.

What is relaxed alignment?

Relaxed alignment allows subdomains to align with the parent domain, such as mail.example.com aligning with example.com.

How do I fix third-party sender alignment?

Enable custom DKIM and, if supported, configure a custom Return-Path or bounce domain.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.