Email DNS Check

DMARC Alignment Failed

DMARC requires alignment between the domain used in SPF or DKIM authentication and the domain visible in the From header. If those domains do not match closely enough, DMARC alignment fails even when SPF or DKIM may have passed technically.

One-Minute Fix

Ensure that either SPF or DKIM authenticates using the same domain, or an aligned organizational domain, as the visible From address.

Aligned authentication example
Email header
From: billing@example.com
  DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;

If the visible From address uses example.com, a DKIM signature with d=example.com is aligned for DMARC.

Re-check

Wrong vs correct setup

Wrong setup

Wrong setup
Email header
From: billing@example.com
  DKIM-Signature: v=1; a=rsa-sha256; d=vendor-mail.com; s=selector1;

This is broken for DMARC alignment because the visible From domain is example.com, but the DKIM signing domain is vendor-mail.com. DKIM may pass, but DMARC alignment still fails.

Correct setup

Correct setup
Email header
From: billing@example.com
  DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;

This is the correct pattern. The DKIM signing domain aligns with the visible From domain, so DKIM can count toward a DMARC pass.

Why this happens

Third-party services often sign emails using their own domains instead of the sender's domain. SPF can also fail alignment when the authenticated return-path domain does not match the visible From domain.

Why this is a problem

  • DMARC authentication fails even when SPF or DKIM may pass technically.
  • Receivers may quarantine or reject messages under stricter policies.
  • Inbox placement becomes less reliable.
  • Troubleshooting gets harder because the raw authentication result can look healthy while DMARC still fails.

How this affects deliverability

Mailbox providers evaluate whether authenticated identities align with the visible sender identity. If alignment fails, the message can lose trust even when a technical SPF or DKIM pass exists.

Common causes

  • Third-party platforms sign with their own domains by default.
  • Custom DKIM or SPF identities were never configured.
  • Several sending systems use different identities for the same brand.
  • DMARC enforcement was increased before alignment problems were fixed.

What we checked

We reviewed whether the SPF-authenticated domain or the DKIM d= domain aligns with the visible From domain strongly enough for DMARC to treat the message as aligned.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Can DKIM pass and DMARC still fail?

Yes. DKIM pass only means the signature verified. DMARC also requires alignment between the signing domain and the visible From domain.

Is aligned SPF enough if DKIM is not aligned?

Yes. DMARC only needs one aligned authentication path, either SPF or DKIM. But many domains prefer to align both for resilience.

How do I fix this safely?

Configure your sender to authenticate with your own domain, or an aligned domain, rather than a provider-owned domain.

Next steps

  • Inspect the visible From domain in a real message.
  • Check the DKIM d= domain and the SPF-authenticated domain.
  • Align at least one of them with the visible From domain.
  • Send a fresh test message after the change.
  • Re-run the check to confirm DMARC alignment now passes.
  • Review the full troubleshooting guidance in the DMARC Hub.
  • Explore sender authorization issues in the SPF Hub.
  • Check signing and selector issues in the DKIM Hub.

Related fixes

Explore more issues