DomainSecurityScanner
High SeverityDMARC

Fix: DMARC Alignment Failure

Emails from your domain are failing DMARC because neither SPF nor DKIM is aligned with the From header domain. DMARC requires at least one of SPF or DKIM to both pass and be aligned.

Quick Fix

Ensure the From header domain matches the SPF and/or DKIM domain (alignment).

What This Error Means

DMARC alignment means the domain in the email's visible From header must match the domain authenticated by SPF (the envelope sender / Return-Path) or DKIM (the d= domain in the signature). If neither matches, DMARC fails even if SPF and DKIM individually pass.

Why It Matters

Without alignment, an attacker could pass SPF using their own domain in the Return-Path while spoofing your domain in the visible From header. Alignment prevents this by ensuring the authenticated domain matches what the recipient sees.

Step-by-Step Fix

1

Check SPF alignment

The Return-Path domain (envelope sender) must match the From header domain.

Example
# In email headers, look for:
# Return-Path: [email protected]  <-- must match From domain
# From: [email protected]
2

Check DKIM alignment

The d= domain in the DKIM signature must match the From header domain.

Example
# In email headers, look for:
# DKIM-Signature: ... d=yourdomain.com; ...  <-- must match From domain
# From: [email protected]
3

Configure your email provider for alignment

Set up custom Return-Path and DKIM domains in your email service provider so they match your From domain.

Example
# For SendGrid, add DNS records:
# CNAME: em1234.yourdomain.com -> sendgrid.net (Return-Path alignment)
# CNAME: s1._domainkey.yourdomain.com -> s1.domainkey.sendgrid.net (DKIM alignment)
4

Verify alignment is working

Send a test email and check the Authentication-Results header.

Example
# Look for in email headers:
# Authentication-Results: ... dmarc=pass (p=reject dis=none) header.from=yourdomain.com

Common Gotchas

  • By default, many third-party email services sign with their own domain (e.g., d=sendgrid.net), not yours. You need to configure custom DKIM signing.
  • Relaxed alignment (the default) allows subdomain matching — mail.example.com aligns with example.com. Strict alignment requires exact domain match.
  • Mailing lists and forwarding services almost always break SPF alignment. DKIM alignment is your safety net in these cases.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What is the difference between relaxed and strict DMARC alignment?

Relaxed alignment (the default) requires the organizational domain to match — so mail.example.com aligns with example.com. Strict alignment requires an exact match of the full domain.

Can DMARC pass if only one of SPF or DKIM is aligned?

Yes. DMARC requires at least one of SPF or DKIM to both pass and be aligned. If DKIM passes with alignment but SPF fails, DMARC still passes.

How do I fix alignment for third-party email services?

Configure the service to use your domain for both the Return-Path (SPF alignment) and DKIM signing domain (d= alignment). This usually involves adding CNAME or TXT records to your DNS.

Related Issues

DMARC Policy NoneNo DKIM SignatureNo SPF RecordAll Fix Guides →