DKIM Alignment Failed
DKIM alignment failed means the domain used in the DKIM signature does not align with the visible From domain required by DMARC. A message can still have a technically valid DKIM signature, but if the signing domain after d= does not match the visible From domain closely enough, DMARC may still fail.
One-Minute Fix
Make sure at least one valid DKIM signature uses a d= domain that aligns with the visible From domain.
From: billing@example.com
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;If the visible From address uses example.com, a DKIM signature with d=example.com is aligned.
Re-checkWrong vs correct setup
Wrong setup
From: billing@example.com
DKIM-Signature: v=1; a=rsa-sha256; d=vendor-mail.com; s=selector1;This can be broken for DMARC because the message is visible as example.com, but the DKIM signing domain is vendor-mail.com. DKIM may pass technically, yet DKIM alignment still fails.
Correct setup
From: billing@example.com
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;This is the correct pattern. The DKIM signing domain aligns with the visible From domain, so DKIM can contribute to a DMARC pass.
Why this happens
This problem usually appears when a third-party sender signs with its own domain by default, a white-label domain was never configured properly, or different sending systems use different DKIM identities for the same brand.
Why this is a problem
- DMARC may fail even when DKIM passes technically.
- Mailbox providers see a mismatch between visible identity and signing identity.
- Legitimate mail can land in spam or be quarantined under stricter policies.
- Authentication troubleshooting becomes more confusing.
How this affects deliverability
Mailbox providers increasingly evaluate the full identity story, not just whether a signature cryptographically verifies. If the message claims to be from one domain but is signed by another, trust can drop even when the underlying DKIM signature is valid.
Common causes
- A third-party ESP signs with its own domain by default.
- A custom DKIM signing domain was never configured.
- Several sending platforms use different identities for the same brand.
- DMARC was tightened before all senders were aligned.
What we checked
We reviewed whether the d= domain in the DKIM signature aligns with the visible From domain strongly enough for DMARC to treat the signature as aligned.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Can DKIM pass and still fail alignment?
Yes. DKIM pass only means the signature verified. Alignment is a separate DMARC requirement about whether the signing domain matches the From domain.
Does every DKIM signature need to align?
Not necessarily. At least one valid aligned authentication path is enough for DMARC, but relying on misaligned signatures weakens the setup.
How do I fix this safely?
Configure your sending provider to sign with your own domain or an aligned subdomain rather than a provider-owned identity.
Next steps
- Inspect the visible From domain in a real message.
- Check the d= domain used in the DKIM-Signature header.
- Configure the sender to use an aligned DKIM signing domain.
- Send a fresh test message after the change.
- Re-run the check to confirm DKIM alignment now passes.
- Review the full troubleshooting guidance in the DKIM Hub.
- Explore sender authorization issues in the SPF Hub.
- Review alignment and policy issues in the DMARC Hub.