DMARC Alignment Failure: What It Means and How to Fix It

Last updated 2026-05-29 — By The InboxGreen Team

A DMARC alignment failure means your email passed SPF or DKIM authentication, but the domain that passed does not match the domain in the visible From header. DMARC requires not just that authentication passes, but that it passes for the right domain, specifically the one your recipient sees as the sender. This is one of the most misunderstood deliverability problems because authentication passes but DMARC still fails.

What it means

DMARC checks two things: did SPF or DKIM pass, and does the authenticated domain align with the From header domain? "Alignment" means the domains must match, either exactly (strict) or as parent/subdomain (relaxed). If you send from <code>[email protected]</code> but your SPF is passing for <code>sendingservice.com</code>, that is a misalignment.

Why it matters

Many email sending platforms send on behalf of your domain but authenticate using their own infrastructure. This creates alignment failures even though authentication technically passes. Without alignment, DMARC cannot pass, and a failing DMARC result weakens inbox placement, especially at Gmail and Yahoo.

DMARC alignment modes

v=DMARC1; p=none; aspf=r; adkim=r; rua=mailto:[email protected]

aspf=r is relaxed SPF alignment (default), which allows subdomain matches. aspf=s is strict and requires exact domain match. adkim=r is relaxed DKIM alignment (default). Use relaxed mode unless you have a specific reason for strict. Most alignment problems are fixed by enabling custom domain authentication in your sending platform.

How to fix it

Google Workspace / Gmail

  1. Enable DKIM in Google Admin (Apps > Google Workspace > Gmail > Authenticate email).
  2. Verify the DKIM selector is published in DNS and Gmail shows it as active.
  3. DKIM alignment will pass automatically once DKIM is enabled, since Google signs with your domain.

Mailchimp

  1. Go to Mailchimp Account > Domains > verify your sending domain.
  2. Mailchimp will ask you to add CNAME records for DKIM.
  3. Add the CNAME records to your DNS provider.
  4. Once verified, Mailchimp signs outgoing email with your domain, fixing DKIM alignment.

SendGrid / other ESPs

  1. In your ESP, go to Sender Authentication or Domain Authentication.
  2. Follow the setup to add the CNAME or TXT records for your domain.
  3. Once complete, the ESP will sign emails with your domain, fixing alignment.

How to verify the fix

  1. Run your domain through the InboxGreen free checker.
  2. Send a test email from your sending platform to a Gmail address.
  3. In Gmail, open the email > three dots > Show original.
  4. Look for DKIM=PASS and confirm the domain after "d=" matches your From domain.
  5. Check DMARC result. It should now show PASS.

Check your fix right now

Run your domain through InboxGreen's free checker to confirm the issue is resolved.

Check my domain

Common mistakes

  • Enabling DKIM in the provider but not adding the DNS record. Both steps are required.
  • Using strict alignment (aspf=s or adkim=s) when your subdomains send email. Strict requires exact match.
  • Assuming SPF alignment alone is enough. SPF alignment requires your email is sent directly from your own mail server, not via an ESP.
  • Not checking the DKIM d= domain in the email headers. This tells you exactly which domain is being used for alignment.

Frequently asked questions

What is the difference between DMARC strict and relaxed alignment? +

Relaxed alignment (the default) allows the authenticated domain to be a subdomain of the From domain. For example, mail.yourdomain.com aligns with yourdomain.com in relaxed mode. Strict alignment requires an exact match, so mail.yourdomain.com would not align with yourdomain.com.

Can DMARC pass if SPF fails but DKIM passes? +

Yes. DMARC passes if either SPF alignment or DKIM alignment passes; both are not required. This is why enabling DKIM custom domain authentication in your ESP is often enough to fix DMARC failures.

Why does DMARC fail when SPF passes? +

SPF can pass for the Return-Path domain (the bounce address), not the From domain. If you send via an ESP, the Return-Path is often set to the ESP's own domain. SPF passes for that domain but it does not align with your From address. DKIM alignment is more reliable when sending through third-party platforms.

Related fix guides