Teaser only. This is not the full article. Complete guide with alignment modes and envelope-from fixes: DMARC Alignment Failed, SPF Passed
DMARC Failed, SPF Passed: Why?
Your aggregate report shows spf=pass and dmarc=fail on the same row. That confuses teams who treat SPF as the whole job.
SPF authorizes an IP for the envelope-from domain (Return-Path). DMARC asks whether that domain aligns with the visible From: header. Mailchimp can pass SPF on sendgrid.net while your customer sees @yourcompany.com. SPF passes. DMARC fails.
Check alignment in headers:
Authentication-Results: ... spf=pass ... dmarc=fail
Fix the envelope-from, enable DKIM on your domain, or move marketing to a subdomain with its own policy.
In the full post on zerohook.org:
- Strict vs. relaxed alignment (aspf= / adkim=)
- HubSpot, SendGrid, and M365 alignment patterns
- When to fix Return-Path vs. DKIM d=
- Reading DMARC XML for alignment failures
Read the full guide: DMARC Alignment Failed, SPF Passed
Top comments (0)