What is DMARC alignment?

Alignment means the domain used in authentication matches the domain in your From: header. For SPF, it's Return-Path domain matching From: domain. For DKIM, it's the d= domain matching From: domain.

What's the difference between relaxed and strict alignment?

Relaxed alignment (default) allows subdomains to match — mail.example.com aligns with example.com. Strict alignment requires exact domain matches. Most domains should use relaxed.

Why does SPF pass but DMARC fail?

SPF authenticates the envelope (Return-Path) domain, which is often your ESP's domain, not yours. Even though SPF passes for that domain, it doesn't align with your From: domain, so DMARC fails.

How do I fix SPF alignment?

Configure a custom Return-Path domain (also called envelope domain, bounce domain, or mail-from) in your ESP that uses your domain or subdomain, like bounces.yourdomain.com.

How do I fix DKIM alignment?

Configure DKIM in your ESP to sign with your domain. Add the public key they provide to your DNS. The DKIM d= value must be your domain or a subdomain of it.

DMARC Alignment Failure: SPF vs DKIM Alignment Fixes

Understanding DMARC Alignment

DMARC checks two things for each authentication method:

Did authentication pass? (SPF pass, DKIM pass)
Does the authenticated domain match the From: header domain? (alignment)

Both conditions must be met for that method to satisfy DMARC.

SPF Alignment Explained

SPF authenticates: The domain in the Return-Path (envelope from)

SPF aligns when: Return-Path domain matches From: header domain

Example - Aligned:

Return-Path: <[email protected]>
From: [email protected]

SPF checks yourdomain.com. If it passes, SPF is aligned.

Example - Not Aligned:

Return-Path: <[email protected]>
From: [email protected]

SPF checks sendgrid.net (their domain). Even if it passes, it doesn't align with yourdomain.com.

DKIM Alignment Explained

DKIM authenticates: The domain in the d= tag of the DKIM signature

DKIM aligns when: d= domain matches From: header domain

Example - Aligned:

DKIM-Signature: ... d=yourdomain.com; s=selector; ...
From: [email protected]

DKIM d= matches From: domain. Aligned.

Example - Not Aligned:

DKIM-Signature: ... d=sendgrid.net; s=smtpapi; ...
From: [email protected]

DKIM is for sendgrid.net, not yourdomain.com. Not aligned.

Relaxed vs Strict Alignment

Relaxed Alignment (Default)

With aspf=r (SPF) and adkim=r (DKIM):

Subdomains align with parent domain
Parent domain aligns with subdomains

From Domain	Authenticated Domain	Aligned?
[email protected]	example.com	Yes
[email protected]	mail.example.com	Yes
[email protected]	example.com	Yes
[email protected]	mail.other.com	No

Strict Alignment

With aspf=s (SPF) and adkim=s (DKIM):

Domains must match exactly
Subdomains don't count

From Domain	Authenticated Domain	Aligned?
[email protected]	example.com	Yes
[email protected]	mail.example.com	No
[email protected]	mail.example.com	Yes

Practitioner note: I've never seen a legitimate reason to use strict alignment. It breaks things without adding meaningful security. Use relaxed unless you have a very specific compliance requirement.

Fixing SPF Alignment

Option 1: Custom Return-Path Domain

Most ESPs allow you to configure a custom envelope/Return-Path domain:

In ESP settings: Find "Bounce Domain," "Return-Path," "Envelope Domain," or "Mail-From Domain"
Add DNS record: Usually a CNAME pointing to the ESP's bounce handling
Verify in ESP: They'll confirm the record is correct

Example for SendGrid:

DNS: em1234.yourdomain.com CNAME sendgrid.net

Now Return-Path becomes: [email protected] This aligns with: [email protected]

Option 2: Don't Rely on SPF Alignment

If custom Return-Path isn't available, focus on DKIM alignment instead. DMARC only needs one method to align.

For many third-party senders, DKIM is the only realistic path to alignment anyway.

Fixing DKIM Alignment

Step 1: Configure Custom DKIM

In your ESP dashboard:

Navigate to sending domains or authentication settings
Add your domain for DKIM signing
Get the DKIM key (usually a long TXT record value)

Step 2: Publish DNS Record

Add the record they provide:

TXT Record (direct key):

selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."

CNAME Record (points to ESP's key):

selector._domainkey.yourdomain.com CNAME selector._domainkey.esp.com

Step 3: Verify

ESP dashboard shows domain as "verified" or "authenticated"
Send a test email
Check headers for dkim=pass header.d=yourdomain.com

Common Alignment Mistakes

Mistake 1: Only Adding SPF Include

Adding include:sendgrid.net to your SPF doesn't create alignment. SPF checks the Return-Path domain, which is still sendgrid.net unless you configure custom Return-Path.

Wrong assumption: "I added their SPF, so I'm good" Reality: SPF passes for their domain, but doesn't align with yours

Mistake 2: Using ESP's Default DKIM

If you don't configure custom DKIM, many ESPs sign with their domain by default. That signature passes but doesn't align.

Wrong assumption: "DKIM shows as pass, so I'm good" Reality: Check what domain passed — it's probably theirs

Mistake 3: Subdomain Confusion with Strict Alignment

If you're at strict alignment and send from marketing.example.com:

DKIM d=example.com → Not aligned
Return-Path: bounces.example.com → Not aligned

You'd need exact matches, which is impractical.

Fix: Don't use strict alignment.

ESP-Specific Fixes

SendGrid

Domain Authentication adds DKIM with your domain
Link Branding can add custom Return-Path
Both require adding CNAME records

Mailgun

Add sending domain in dashboard
Add DKIM records (TXT or CNAME)
Configure tracking domain for Return-Path

Mailchimp

Domain authentication under Settings > Verified domains
Add DKIM CNAME record
Custom Return-Path available on some plans

Postmark

DKIM configured per sending domain
Custom Return-Path via CNAME
One of the easiest setups

Klaviyo

Dedicated sending domain (paid plans)
DKIM via DNS records
Custom bounce domain available

Practitioner note: Every ESP does this differently. Some call it "domain authentication," others "verified domains," others "sending domains." The documentation quality varies wildly. If you can't find it, contact their support.

Checking Your Alignment

Method 1: DMARC Reports

In DMARC aggregate reports, look for alignment results:

<policy_evaluated>
  <disposition>none</disposition>
  <dkim>pass</dkim>
  <spf>fail</spf>
</policy_evaluated>
<auth_results>
  <dkim>
    <domain>yourdomain.com</domain>
    <result>pass</result>
  </dkim>
  <spf>
    <domain>esp.com</domain>
    <result>pass</result>
  </spf>
</auth_results>

Here: DKIM passed and aligned (domain=yourdomain.com). SPF passed for esp.com but didn't align with yourdomain.com.

Method 2: Email Headers

Check Authentication-Results header:

Authentication-Results: mx.google.com;
    dkim=pass header.d=yourdomain.com;
    spf=pass smtp.mailfrom=bounces.esp.com;
    dmarc=pass header.from=yourdomain.com

The header.d= (DKIM) and smtp.mailfrom= (SPF) show what domains were authenticated.

Testing Alignment

Send an email to a Gmail address
Open the email and click "Show original" (three dots menu)
Look for Authentication-Results
Verify:
- DKIM shows header.d=yourdomain.com
- SPF shows smtp.mailfrom=yourdomain.com (or subdomain)
- DMARC shows pass

If you're still seeing alignment failures after configuring custom DKIM and Return-Path, schedule a consultation — I'll audit your setup and fix the configuration.

Sources

RFC 7489: Domain-based Message Authentication (DMARC) — Alignment
dmarcian: Understanding Alignment
Google: DMARC alignment
SendGrid: Domain Authentication

v1.0 · March 2026