You check your email headers. SPF shows pass. DKIM shows pass. But DMARC shows fail. How is that possible?
The answer is alignment. DMARC does not just check whether SPF or DKIM passed. It checks whether they passed for the right domain, specifically the domain in your From header.
What alignment means
When you send email, multiple domain identifiers are in play:
- The visible
Fromaddress (what your recipient sees) - The
Return-Pathor envelope sender (used by SPF) - The
d=domain in the DKIM-Signature header (used by DKIM)
DMARC requires at least one of these to match your From domain. If SPF passes for mail.sendingservice.com but your From is you@yourdomain.com, that is a misalignment and DMARC fails even though SPF technically passed.
Why this happens most often
When you send through an ESP (Mailchimp, SendGrid, HubSpot) without setting up custom domain authentication, the ESP sends with its own domain in the Return-Path and signs DKIM with its own selector. Authentication passes for the ESP's domain, not yours.
The fix
Enable custom domain authentication in your ESP. Every major ESP supports this.
Mailchimp:
Account > Domains > verify your sending domain > add the CNAME records they provide.
SendGrid:
Settings > Sender Authentication > Authenticate Your Domain > add the CNAME records.
Google Workspace:
Admin console > Apps > Google Workspace > Gmail > Authenticate email > enable DKIM. Google signs with your domain automatically once active.
Once complete, the ESP signs outgoing email with your domain in the d= tag. DKIM alignment passes. DMARC passes.
Verify it worked
Send a test from your ESP to a Gmail address. Open Show original and look for:
dkim=pass header.d=yourdomain.com
dmarc=pass
If header.d= still shows the ESP's domain, either the DNS records have not propagated yet or custom authentication was not fully enabled.
You can also run a full check at InboxGreen.
For the full guide with per-ESP steps and common mistakes: DMARC alignment failure: fix guide
Top comments (0)