DMARC fails even when SPF and DKIM individually pass — this is the classic alignment problem. This tutorial explains how to diagnose alignment failures from DMARC aggregate reports, fix third-party senders, resolve subdomain mismatches, and use relaxed vs strict mode appropriately.
DMARC passes if at least one of:
From: domain, ord= aligns with the From: domain.Common failure: SPF/DKIM individually pass but alignment fails. This is typical for third-party senders using their own infrastructure without custom domain setup.
DMARC aggregate report per-source rows show:
<record>
<row>
<source_ip>203.0.113.99</source_ip>
<count>47</count>
<policy_evaluated>
<disposition>quarantine</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>firm.co.uk</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mcsv.net</domain>
<result>pass</result>
</dkim>
<spf>
<domain>mcsv.net</domain>
<result>pass</result>
</spf>
</auth_results>
</record>Read the key signal: auth_results shows SPF and DKIM passing on mcsv.net, but policy_evaluated shows both fail after alignment check because mcsv.net does not align with firm.co.uk (the header_from). This is the alignment failure pattern.
SPF alignment fails when the envelope sender's domain differs from the From: domain.
bounces.firm.co.uk) with strict alignment enforced.aspf=r, default).DKIM alignment fails when the DKIM d= differs from From: domain.
Third-party signing with their own domain. Mailchimp signs with d=mcsv.net; SendGrid signs with d=sendgrid.net. Without custom domain configuration, DKIM aligns with provider domain, not yours.
selector._domainkey.firm.co.uk pointing at provider's DKIM infrastructure.dkim=pass with d=firm.co.uk.The most common alignment issue for UK businesses. Workflow:
| Provider | Alignment method |
|---|---|
| Mailchimp | Domain authentication via 2 CNAMEs |
| SendGrid | Domain authentication via 3 CNAMEs |
| HubSpot | Email sending domain + CNAMEs |
| Salesforce | Sender Authentication Package (SAP) |
| Amazon SES | Easy DKIM via CNAMEs |
| Postmark | Sender signature verification + TXT records |
| Mailgun | Domain verification CNAMEs |
Mail with From: at a subdomain ([email protected]) raises alignment questions:
marketing.firm.co.uk aligns with firm.co.uk via organisational domain.marketing.firm.co.uk only aligns with marketing.firm.co.uk, not the parent.Fix for strict-mode failures:
adkim=r; aspf=r).d=marketing.firm.co.uk, SPF envelope on marketing.firm.co.uk.dmarc=fail, auth_results shows individual SPF/DKIM passing?
├── Yes — alignment issue
│ ├── Check dkim domain vs header_from
│ │ └── Different → third-party signing issue → configure custom domain
│ ├── Check spf domain vs header_from
│ │ └── Different → envelope sender issue → custom return-path
│ └── Both different → choose one pathway to fix first (usually DKIM)
└── No — authentication failure, see relevant Fix Failures guideClassic. Fix: Mailchimp Admin → Audience → Settings → Authenticate Domain → follow CNAME instructions.
Customer routes transactional mail through SendGrid but configures envelope on email.firm.co.uk subdomain. Relaxed alignment accepts; strict alignment fails. Decide: relaxed mode or subdomain-specific DMARC.
DocuSign signs with its own DKIM. Without custom domain, alignment fails. Fix: enable DocuSign's custom branding + domain authentication.
HubSpot requires both email-sending domain + CNAME publication. Common oversight: admin configures one but not both. Check HubSpot admin for complete setup.
Xero by default sends with @xero.com envelope. Custom branding allows your domain. Without custom branding, alignment fails. Decision: accept (fails), enable custom branding, or use your own invoicing integration.
Shopify sends customer notifications from various infrastructures. Alignment varies per notification type. Shopify offers custom domain for some notifications; not all. Complex; may need case-by-case accept-or-route.
d=firm.co.uk (customer's domain) and envelope on customer's domain. Alignment automatically passes. Alignment issues occur for third-party senders using customer's domain; fixes are customer-side via provider configuration.Q: Is relaxed alignment less secure than strict?
A: Marginally. Relaxed allows organisational-domain matching, which protects against exact-domain spoofing. Strict prevents additional subdomain-level attacks. For most UK SMEs, relaxed is adequate.
Q: If I tighten to strict alignment, how many senders typically break?
A: 10-30% in first audit. Each sender needs case-by-case review. After remediation, strict alignment works cleanly.
Q: Can I use different alignment modes for SPF and DKIM?
A: Yes. adkim=s; aspf=r is valid. Unusual but permitted. Typically both match for consistency.
Q: Do alignment issues affect mail that ARC saved?
A: ARC operates when SPF/DKIM fail; alignment is secondary. If ARC chain validates, receiver may override DMARC regardless of alignment.
Q: What is the single highest-impact alignment fix for a UK business?
A: Configuring Mailchimp (or equivalent marketing platform) with custom domain authentication. Usually fixes 30-60% of alignment failures in one step.
Q: Does BIMI display depend on alignment specifically?
A: No — BIMI depends on DMARC pass (which depends on alignment). Indirectly yes: alignment failure → DMARC fail → no BIMI display.