DMARC passes when at least one of SPF or DKIM both passes authentication AND aligns with the From domain. There are multiple combinations: both pass and align (ideal), only DKIM aligns (common with ESPs), only SPF aligns (fragile), or neither aligns (DMARC fails). Understanding each combination helps you diagnose failures and prioritize fixes.
The DMARC Authentication Matrix: All SPF/DKIM/DMARC Result Combinations
The Complete Matrix
Here's every meaningful combination of SPF and DKIM results and how DMARC evaluates them:
| SPF | SPF Aligned? | DKIM | DKIM Aligned? | DMARC Result |
|---|---|---|---|---|
| Pass | Yes | Pass | Yes | Pass (ideal) |
| Pass | Yes | Pass | No | Pass (via SPF) |
| Pass | Yes | Fail | - | Pass (via SPF) |
| Pass | Yes | None | - | Pass (via SPF) |
| Pass | No | Pass | Yes | Pass (via DKIM) |
| Fail | - | Pass | Yes | Pass (via DKIM) |
| None | - | Pass | Yes | Pass (via DKIM) |
| Pass | No | Pass | No | Fail |
| Pass | No | Fail | - | Fail |
| Fail | - | Fail | - | Fail |
| Fail | - | Pass | No | Fail |
| None | - | None | - | Fail |
The key insight: authentication alone isn't enough — alignment is required.
The Ideal State
SPF: pass (aligned)
DKIM: pass (aligned)
DMARC: pass
Both SPF and DKIM pass and align. If SPF breaks during forwarding, DKIM still provides alignment. If DKIM breaks due to body modification, SPF can still cover you (for non-forwarded messages).
This is what you're aiming for with every sending service.
Practitioner note: I won't sign off on a client's authentication setup until every sender hits this ideal state. Having both SPF and DKIM aligned means you're resilient to the two most common failure scenarios — forwarding and body modification.
Common Real-World Scenarios
ESP with Custom DKIM, Default Return-Path
SPF: pass (NOT aligned — Return-Path is esp-domain.com)
DKIM: pass (aligned — d=yourdomain.com)
DMARC: pass (via DKIM)
This is the most common setup. Your ESP signs with your domain's DKIM key but uses their own Return-Path. DMARC passes via DKIM alignment.
ESP with No Custom Authentication
SPF: pass (NOT aligned — Return-Path is esp-domain.com)
DKIM: pass (NOT aligned — d=esp-domain.com)
DMARC: fail
Neither SPF nor DKIM aligns with your From domain. This is what happens when you skip domain authentication in your ESP.
Forwarded Email with DKIM
SPF: fail (forwarding server IP not in your SPF)
DKIM: pass (aligned — body wasn't modified)
DMARC: pass (via DKIM)
DKIM saves the day. This is exactly why you need DKIM configured — it survives forwarding.
Forwarded Email Without DKIM
SPF: fail (forwarding server IP not in your SPF)
DKIM: none (never signed)
DMARC: fail
Nothing to fall back on. The message fails DMARC.
Practitioner note: When I audit a domain and see DMARC passing only via SPF alignment with no DKIM, I flag it as urgent. That setup is one forwarding hop away from total failure. Get DKIM configured before it becomes a problem.
What to Prioritize
- Set up DKIM alignment for every sender — this is the most resilient authentication method
- Set up SPF alignment where possible — provides redundancy
- Don't rely on SPF alone — it breaks during forwarding
- Monitor with DMARC reports — catch alignment failures early
If you need help mapping every sender to the right authentication configuration, I can audit your entire sending infrastructure.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC), Section 4
- dmarcian: Understanding DMARC results
- Google: DMARC authentication
- M3AAWG: DMARC Deployment Guide
v1.0 · April 2026
Frequently Asked Questions
Does DMARC need both SPF and DKIM to pass?
No. DMARC passes if either SPF or DKIM passes and aligns. You don't need both, though having both provides redundancy.
What if SPF passes but doesn't align?
DMARC ignores it. SPF authentication without alignment doesn't count toward DMARC. This happens when a third-party sender uses their own Return-Path domain.
What's the ideal authentication result?
SPF pass + aligned, DKIM pass + aligned, DMARC pass. This gives you full redundancy — if one fails (e.g., during forwarding), the other still passes DMARC.
What does SPF pass, DKIM fail, DMARC pass mean?
SPF passed and aligned with the From domain, so DMARC passes via SPF even though DKIM failed. This works but is fragile — forwarding will break it.
What does SPF fail, DKIM pass, DMARC pass mean?
DKIM passed and aligned with the From domain, so DMARC passes via DKIM. This is common and perfectly fine — DKIM is actually more reliable than SPF for alignment.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.