DMARC alignment: why SPF and DKIM pass but DMARC still fails

The most confusing line in any DMARC report: spf=pass dkim=pass dmarc=fail. It looks contradictory — both authentication methods passed! — but DMARC doesn't just ask "did something authenticate?" It asks "did the thing that authenticated match the domain in the From header the human sees?" That match is called alignment, and it's where most DMARC failures actually live.

Updated July 13, 2026

The three domains in every email

  • The From header domain — what the recipient sees in their mail client. This is what DMARC protects.
  • The envelope sender (Return-Path) — a hidden address used for bounces. SPF authenticates this one.
  • The DKIM signing domain (the d= tag) — whoever cryptographically signed the message.

Spammers exploit the gap: send from their own envelope domain (their SPF passes), sign with their own DKIM key (their signature passes), but put your domain in the From header. Without alignment, that message "passes" everything while impersonating you. DMARC closes the gap by requiring the SPF domain or the DKIM d= domain to match the From domain.

Why your own ESP fails alignment

Most email services send with their own envelope domain by default — bounces go to something like bounce.esp-mail.com, so SPF authenticates the ESP's domain, not yours. SPF passes; SPF alignment fails. The fix is almost never SPF: it's turning on the ESP's custom DKIM (they sign with d=yourdomain.com) and/or a custom return-path/bounce domain. Every major ESP supports this — it's the "authenticate your domain" step in their settings. See our per-provider setup guides for the exact records.

Strict vs relaxed alignment

By default, alignment is relaxed: a subdomain match counts, so mail.yourdomain.com aligns with yourdomain.com. Strict mode (adkim=s / aspf=s) requires an exact match. Stay relaxed unless you have a specific threat model that demands strict — strict mode breaks legitimate subdomain senders for little practical gain.

How to find your alignment failures

They're all in your DMARC aggregate reports — every source IP, its SPF/DKIM results, and whether each aligned. Reading raw XML is miserable; this is exactly what HealthCheck Email automates: every sender labeled by name, with pass/fail and alignment split out, so "Klaviyo isn't DKIM-aligned" is a dashboard row instead of an archaeology project.

Common questions

Does DMARC need both SPF and DKIM aligned?+

No — one is enough. A message passes DMARC if either SPF or DKIM passes with alignment. That's also why DKIM matters more in practice: DKIM signatures survive forwarding while SPF breaks, so an aligned DKIM signature keeps forwarded mail passing.

What does 'auth=pass, dmarc=fail' in Gmail's headers mean?+

Authentication succeeded for some domain — just not yours. Check which domain SPF and DKIM actually evaluated (the Return-Path and the d= tag). If they're your ESP's domains, you need to enable custom domain authentication in that ESP.

Can I fix alignment by adding the ESP's include to my SPF?+

Adding the include authorizes their servers, but it doesn't change which domain their bounces use — envelope alignment is set by the ESP's return-path, not by your SPF record. The reliable fix is custom DKIM (d=yourdomain), with a custom bounce domain as a bonus.