DMARC Alignment Explained: SPF and DKIM Alignment Requirements
Understand how DMARC alignment works, the difference between strict and relaxed alignment for SPF and DKIM, and how to fix alignment failures.
DMARC alignment is one of the most misunderstood aspects of email authentication. You can have valid SPF and DKIM, yet still fail DMARC because of alignment issues. This guide explains what alignment means and how to get it right.
What Is DMARC Alignment?
DMARC alignment requires that the domain used in authentication (SPF or DKIM) matches the domain in the "From" header that users see.
The key question: Does the authenticated domain relate to the domain claiming to send the email?
DMARC passes when at least one of SPF or DKIM passes AND aligns with the From domain.
The Three Domains in Email
Understanding alignment requires knowing these three domains:
1. From Header Domain (RFC5322.From)
The domain in the "From:" header that recipients see:
From: sender@example.com
Domain: example.com
2. Return-Path Domain (RFC5321.MailFrom)
The envelope sender, used for bounces (checked by SPF):
Return-Path: bounces@mail.example.com
Domain: mail.example.com
3. DKIM Signing Domain (d= tag)
The domain in the DKIM signature:
DKIM-Signature: ... d=example.com; s=selector1; ...
Domain: example.com
How Alignment Works
SPF Alignment
SPF alignment compares:
- From header domain (what users see)
- Return-Path domain (envelope sender)
| From Domain | Return-Path Domain | Relaxed | Strict |
|---|---|---|---|
| example.com | example.com | ✅ Pass | ✅ Pass |
| example.com | mail.example.com | ✅ Pass | ❌ Fail |
| example.com | other.com | ❌ Fail | ❌ Fail |
DKIM Alignment
DKIM alignment compares:
- From header domain (what users see)
- DKIM d= domain (signing domain)
| From Domain | DKIM d= Domain | Relaxed | Strict |
|---|---|---|---|
| example.com | example.com | ✅ Pass | ✅ Pass |
| example.com | mail.example.com | ✅ Pass | ❌ Fail |
| example.com | other.com | ❌ Fail | ❌ Fail |
Relaxed vs Strict Alignment
DMARC records can specify alignment mode:
- aspf=r (relaxed SPF alignment) — Default
- aspf=s (strict SPF alignment)
- adkim=r (relaxed DKIM alignment) — Default
- adkim=s (strict DKIM alignment)
Relaxed Alignment (Default)
Domains must share the same organizational domain. Subdomains are allowed.
From: user@example.com
Return-Path: bounces@mail.example.com
Relaxed result: ✅ Aligned (both share example.com)
Strict Alignment
Domains must match exactly. No subdomains allowed.
From: user@example.com
Return-Path: bounces@mail.example.com
Strict result: ❌ Not aligned (example.com ≠ mail.example.com)
Common Alignment Failures
Third-Party Sending Services
When using services like Mailchimp or SendGrid, they often use their own domain for Return-Path:
From: newsletter@yourcompany.com
Return-Path: bounce-mc.us5.12345@mail234.suw41.mcdlv.net
SPF alignment: ❌ Fails (yourcompany.com vs mcdlv.net)
Solution: These services should provide DKIM signing with your domain, which can align instead.
Transactional Email Services
From: noreply@yourapp.com
Return-Path: 0101abc@us-west-2.amazonses.com
DKIM d=yourapp.com
SPF alignment: ❌ Fails (yourapp.com vs amazonses.com) DKIM alignment: ✅ Passes (yourapp.com = yourapp.com) DMARC result: ✅ Passes (DKIM aligned)
Forwarded Email
When email is forwarded, SPF typically breaks because the IP changes. DKIM usually survives if the message isn't modified.
Original From: sender@example.com
After forwarding:
- SPF: ❌ Fails (checked against forwarder's IP)
- DKIM: ✅ Passes (if signature intact)
Checking Your Alignment
In Email Headers
Look for the Authentication-Results header:
Authentication-Results: mx.google.com;
dkim=pass header.i=@example.com header.s=selector1;
spf=pass (domain of bounces@example.com designates IP as permitted);
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
Key fields:
header.i=@example.com— DKIM signing domaindomain of bounces@example.com— SPF domainheader.from=example.com— From domain
In DMARC Reports
DMARC aggregate reports show alignment results:
<row>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<auth_results>
<dkim>
<domain>example.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>sendgrid.net</domain>
<result>pass</result>
</spf>
</auth_results>
In this example:
- DKIM passed and aligned (example.com)
- SPF passed but didn't align (sendgrid.net ≠ example.com)
- DMARC passed via DKIM alignment
Fixing Alignment Issues
Identify which authentication is misaligned
Check DMARC reports or email headers to see which mechanism fails alignment.
Configure custom domains with your ESP
Most email services let you set custom Return-Path and DKIM signing domains.
Use subdomains for different mail types
marketing.example.com for marketing, app.example.com for transactional, etc.
Consider relaxed alignment if strict isn't necessary
Most domains work fine with the default relaxed alignment.
Setting Up Custom Domains
For SPF Alignment
Configure a custom Return-Path domain with your email service:
SendGrid: Set up domain authentication Mailchimp: Set up custom email domain Amazon SES: Configure custom MAIL FROM domain
For DKIM Alignment
Most services allow DKIM signing with your domain:
SendGrid: Add CNAME records for DKIM Mailchimp: Add CNAME records for DKIM Amazon SES: Add TXT record for DKIM key
After setup:
From: user@example.com
Return-Path: bounces@bounce.example.com
DKIM d=example.com
Both SPF and DKIM align with example.com.
When to Use Strict Alignment
Strict alignment (aspf=s or adkim=s) is rarely necessary:
Consider strict alignment if:
- You have strict security requirements
- You need to prevent subdomain spoofing
- Regulatory compliance requires it
Avoid strict alignment if:
- You use many subdomains
- You haven't audited all sending sources
- You use third-party services extensively
Switching to strict alignment without preparation will likely break legitimate email. Test thoroughly first.
DMARC Record Alignment Settings
A typical DMARC record with explicit alignment settings:
v=DMARC1; p=reject; aspf=r; adkim=r; rua=mailto:dmarc@example.com
| Tag | Setting | Meaning |
|---|---|---|
| aspf=r | Relaxed SPF | Subdomain SPF alignment allowed |
| aspf=s | Strict SPF | Exact domain match required |
| adkim=r | Relaxed DKIM | Subdomain DKIM alignment allowed |
| adkim=s | Strict DKIM | Exact domain match required |
If omitted, both default to relaxed (r).
Alignment Troubleshooting Checklist
| Symptom | Likely Cause | Solution |
|---|---|---|
| SPF passes but DMARC fails | SPF domain doesn't match From | Configure custom Return-Path or rely on DKIM |
| DKIM passes but DMARC fails | DKIM d= domain doesn't match From | Configure DKIM signing with your domain |
| Both pass but DMARC fails | Neither aligns with From domain | Configure custom domains for both |
| Works for some emails, not others | Different services with different configs | Audit all sending sources |
Check Your DMARC Alignment
Verify your SPF and DKIM are properly aligned with your From domain.
DMARC alignment ensures that authenticated email actually comes from who it claims to be from. Understanding and properly configuring alignment is essential for passing DMARC and maintaining good email deliverability.