DMARC alignment: why SPF and DKIM pass but DMARC still fails
The most confusing line in any DMARC report: spf=pass dkim=pass dmarc=fail. It looks contradictory — both authentication methods passed! — but DMARC doesn't just ask "did something authenticate?" It asks "did the thing that authenticated match the domain in the From header the human sees?" That match is called alignment, and it's where most DMARC failures actually live.
Updated July 13, 2026
The three domains in every email
- The From header domain — what the recipient sees in their mail client. This is what DMARC protects.
- The envelope sender (Return-Path) — a hidden address used for bounces. SPF authenticates this one.
- The DKIM signing domain (the d= tag) — whoever cryptographically signed the message.
Spammers exploit the gap: send from their own envelope domain (their SPF passes), sign with their own DKIM key (their signature passes), but put your domain in the From header. Without alignment, that message "passes" everything while impersonating you. DMARC closes the gap by requiring the SPF domain or the DKIM d= domain to match the From domain.
Why your own ESP fails alignment
Most email services send with their own envelope domain by default — bounces go to something like bounce.esp-mail.com, so SPF authenticates the ESP's domain, not yours. SPF passes; SPF alignment fails. The fix is almost never SPF: it's turning on the ESP's custom DKIM (they sign with d=yourdomain.com) and/or a custom return-path/bounce domain. Every major ESP supports this — it's the "authenticate your domain" step in their settings. See our per-provider setup guides for the exact records.
Strict vs relaxed alignment
By default, alignment is relaxed: a subdomain match counts, so mail.yourdomain.com aligns with yourdomain.com. Strict mode (adkim=s / aspf=s) requires an exact match. Stay relaxed unless you have a specific threat model that demands strict — strict mode breaks legitimate subdomain senders for little practical gain.
How to find your alignment failures
They're all in your DMARC aggregate reports — every source IP, its SPF/DKIM results, and whether each aligned. Reading raw XML is miserable; this is exactly what HealthCheck Email automates: every sender labeled by name, with pass/fail and alignment split out, so "Klaviyo isn't DKIM-aligned" is a dashboard row instead of an archaeology project.