DMARC fails but SPF and DKIM pass: it is almost always alignment
· dmarc · alignment · spf · dkim · deliverability
dmarcalignmentspfdkimdeliverabilityIf SPF passes and DKIM passes but DMARC still fails, the cause is almost never authentication — it is alignment. DMARC does not just ask "did SPF or DKIM pass?" It asks "did the mechanism that passed authenticate the same domain that appears in the From: header?" SPF commonly passes on your ESP's bounce domain and DKIM passes with the ESP's d= domain, so both checks are green while neither one points at your brand. DMARC sees a mismatch and fails.
Authentication is not alignment
SPF and DKIM each authenticate a domain. The catch is which domain.
- SPF validates the envelope sender — the
MAIL FROM/ return-path, frequently your ESP's bounce domain likebounces.sendgrid.net. SPF passes for that domain, not yours. - DKIM validates whatever is in the signature's
d=tag. If your ESP signs withd=sendgrid.net, DKIM passes for SendGrid, not for you.
Neither touches the From: header your recipient actually sees. DMARC's whole job is to bind authentication back to that visible From: domain.
What DMARC checks for alignment
DMARC passes only if at least one of these holds:
- SPF passed and the return-path domain aligns with the
From:domain, or - DKIM passed and the
d=domain aligns with theFrom:domain.
"Aligns" depends on the mode. Relaxed alignment (adkim=r / aspf=r, the default) lets the organizational domains match — mail.example.com aligns with example.com. Strict alignment (adkim=s / aspf=s) requires an exact match. If your From: is example.com but SPF authenticated bounces.esp.net and DKIM signed d=esp.net, both fail alignment under either mode, and so does DMARC.
You can confirm this directly. In a received message's headers, read Authentication-Results:
spf=pass smtp.mailfrom=bounces.esp.net
dkim=pass header.d=esp.net
dmarc=fail (p=none) header.from=example.com
Two passes, one mismatch each, DMARC fail. The header.from is your domain; nothing else is.
How to fix it
You need at least one mechanism to authenticate your domain.
- Align SPF by setting a custom return-path (bounce) domain on a subdomain of yours, e.g.
bounce.example.com, usually aCNAMEyour ESP gives you. NowMAIL FROMis underexample.comand SPF aligns in relaxed mode. - Align DKIM by configuring branded DKIM so the signature uses
d=example.com. ESPs publish this as aCNAME(e.g.s1._domainkey.example.compointing into the provider) so they can rotate keys while the signing domain stays yours.
Aligned DKIM is the more durable fix because it survives forwarding better. You generally want both.
Forwarding, and why ARC exists
Even a perfectly aligned setup can fail after a hop. A mailing list or forwarding rule rewrites the return-path, so SPF alignment breaks at the forwarder. If the forwarder also mutates the body — appends a footer, rewrites links — the DKIM body hash no longer verifies and DKIM breaks too. Both green checks go red through no fault of yours.
That gap is what ARC (Authenticated Received Chain, RFC 8617) addresses: each intermediary signs the authentication results it saw, so a downstream receiver can trust the original pass even after the message was modified in transit.
Run the check on your domain →Further reading
- What is DMARC? (and how to check if yours is configured correctly)
- Email deliverability checklist: SPF, DKIM, and DMARC in order
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance
- RFC 8617 — The Authenticated Received Chain (ARC) Protocol