Free DMARC Alignment Checker - Fix "SPF Pass, DMARC Fail"

Understanding DMARC Alignment: The Complete Guide

DMARC alignment is one of the most misunderstood aspects of email authentication. It's the reason why your SPF and DKIM can both pass, yet DMARC still fails. Understanding alignment is crucial for achieving full email authentication and protecting your domain from spoofing.

What is DMARC Alignment?

DMARC alignment requires that the domain authenticated by SPF or DKIM matches the domain in the email's visible "From" header. This prevents attackers from using a legitimate SPF/DKIM setup on one domain to send spoofed emails appearing to come from another domain.

Think of it this way: SPF and DKIM verify that an email is authentic, but alignment verifies that it's authentic for the domain it claims to be from.

SPF Alignment Explained

SPF alignment compares two domains:

• RFC5321.MailFrom (Return-Path/Envelope From) - The domain used for SPF authentication
• RFC5322.From (Header From) - The visible "From" address the recipient sees

For SPF alignment to pass, these domains must match. The problem? Many email services use their own domain for the Return-Path (e.g., bounce.mailservice.com), which doesn't align with your domain in the From header.

DKIM Alignment Explained

DKIM alignment compares:

• DKIM d= domain - The domain in the DKIM signature
• RFC5322.From (Header From) - The visible "From" address

For DKIM alignment to pass, the DKIM signing domain must match the From header domain. Many services sign with their own domain by default, causing alignment failures.

Relaxed vs Strict Alignment

DMARC offers two alignment modes, controlled by the aspf (SPF) and adkim (DKIM) tags:

• Relaxed (r) - Default. Allows subdomains to align with the parent domain. Example: mail.example.com aligns with example.com.
• Strict (s) - Requires exact domain match. mail.example.com does NOT align with example.com.

Most organizations use relaxed alignment because it's more forgiving with subdomains while still providing protection.

Why "SPF Pass, DMARC Fail" Happens

This is the most common alignment issue. Here's a typical scenario:

1. You send email through a marketing platform like Mailchimp
2. Mailchimp uses their servers, which are in your SPF record via include:servers.mcsv.net
3. SPF passes because Mailchimp's server is authorized
4. But the Return-Path is bounce.mcsv.net, not your domain
5. The From header shows you@yourdomain.com
6. These domains don't match = SPF alignment fails
7. If DKIM also fails alignment, DMARC fails

How to Fix Alignment Issues

The solution is to configure your email services to use your domain for authentication:

• For SPF alignment - Set up a custom Return-Path/bounce domain. Most ESPs call this "custom envelope domain" or "branded return path." You'll add a CNAME like bounce.yourdomain.com pointing to the service.
• For DKIM alignment - Configure custom DKIM signing. The service will give you CNAME records to add, allowing them to sign emails with your domain (e.g., d=yourdomain.com).

DKIM alignment is usually easier to configure and survives email forwarding, so prioritize it if you can only fix one.

Common Services and Alignment

Here's how popular services handle alignment:

• Google Workspace - Automatically aligns both SPF and DKIM when sending from your domain
• Microsoft 365 - Automatic alignment for your domain
• Mailchimp - Requires custom domain setup for alignment
• SendGrid - Supports custom Return-Path and DKIM domains
• Amazon SES - Supports custom MAIL FROM domain and DKIM
• HubSpot - Requires domain authentication setup

Testing Your Alignment

To verify alignment is working:

1. Send a test email to a Gmail account
2. Open the email and click "Show original" (three dots menu)
3. Look for the authentication results header
4. Check that SPF, DKIM, and DMARC all show "PASS"
5. Verify the domains match your sending domain