Why does my email fail DMARC even though SPF passes?

SPF can pass but still fail DMARC alignment if the envelope-from domain (Return-Path) does not match the From domain. Many ESPs use their own domain as the Return-Path, which means SPF passes for the ESP's domain but is not aligned with your From domain. In this case DKIM alignment must pass instead.

What is the difference between DMARC p=none and p=reject?

p=none is monitoring mode — messages are delivered regardless of DMARC result and you receive reports. p=reject means failing messages are outright rejected and never delivered. Start with p=none to collect reports, then move to p=quarantine and finally p=reject once you are confident all legitimate senders are passing.

Does DMARC require both SPF and DKIM to pass?

No. DMARC only requires one of SPF or DKIM to both pass AND be aligned with the From domain. If DKIM is aligned and passing, DMARC passes even if SPF fails, and vice versa.

DMARC Policy Tester

Q: What is DMARC alignment?

DMARC alignment means the domain that authenticated via SPF or DKIM must match the visible From domain. SPF passing on its own is not enough — the envelope-from domain must also match the From domain. Similarly DKIM passing alone is not enough — the d= domain must match the From domain.

Built for operators & agencies

Live DNS - no cached APIs

No login required

No data retention

Privacy first diagnostics

Prevents blacklisting - not causes it

Enter the From domain, SPF result, and DKIM result to see whether a message would pass or fail DMARC — and what policy action would apply.

From domain (visible sender)

The domain in the From: header — what the recipient sees as the sender.

SPF result

SPF / envelope from domain

The Return-Path / envelope from domain.

DKIM result

DKIM d= domain

The d= value from the DKIM-Signature header.

What is DMARC alignment?

DMARC passes only if at least one of the following is true:

SPF aligned: SPF passes AND the envelope-from domain matches the From domain (relaxed: same organizational domain).
DKIM aligned: DKIM passes AND the d= domain matches the From domain (relaxed: same organizational domain).

Both SPF and DKIM results are checked for alignment. Only one needs to pass.

Relaxed vs strict alignment

Relaxed (default, aspf=r or adkim=r): Subdomains match. mail.example.com aligns with example.com.
Strict (aspf=s or adkim=s): Exact domain match required. mail.example.com does NOT align with example.com.

How DMARC works

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties together SPF and DKIM. It requires that at least one of SPF or DKIM both passes and aligns with the visible From domain. Passing SPF or DKIM alone is not enough — the domain that authenticated must match the domain the recipient sees.

DMARC policy ladder

p=none — Monitor mode. Messages are delivered regardless of DMARC result. Reports are still sent to the rua address.
p=quarantine — Failed messages are moved to the spam/junk folder. Used during rollout when you are gaining confidence.
p=reject — Failed messages are rejected outright. Full protection against spoofing and phishing on your domain.

Common DMARC failures

SPF passes but the envelope from domain is a subdomain or different domain than the From header.
DKIM passes but the d= domain is the ESP's domain (like amazonses.com) rather than your own domain.
Email forwarded through a mailing list that breaks SPF alignment and strips DKIM signatures.
Marketing tools sending from your domain without DKIM configured for that domain.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.