The domain owner is baffled. Everything is "correct." Nothing is working. Legitimate transactional mail is being rejected by receiving servers and landing in nobody's inbox.
Here's a configuration I see at least once a month:
p=reject.The domain owner is baffled. Everything is "correct." Nothing is working. Legitimate transactional mail is being rejected by receiving servers and landing in nobody's inbox.
The problem is alignment. It's the single most under-explained concept in DMARC, and it's the reason most "properly configured" domains still fail.
DMARC doesn't just ask "did SPF pass?" or "did DKIM pass?" It asks "did SPF or DKIM pass and was the passing domain aligned with the From: header?"
Two domains are in play for every email: the From: header domain that the recipient sees, and the authenticated domain that SPF or DKIM verified. For DMARC to pass, those two have to match — that's alignment.
SPF is authenticated against the envelope sender, also called the Return-Path or MAIL FROM. This is different from the From: header. It's set by the sending infrastructure, often to a bounce-handling address at the ESP rather than at your own domain.
DKIM is authenticated against the d= tag in the DKIM signature, which is set by whichever system signed the message. If your ESP signs on your behalf with their own domain, the d= tag will be their domain, not yours.
Either of these can pass "successfully" — SPF says yes, DKIM says yes — and DMARC still fails, because the domain that passed isn't the domain in the From: header.
You send a marketing email through a third-party ESP. The relevant headers look like this:
From: marketing@yourdomain.com
Return-Path: bounces+12345@esp-infrastructure.com
DKIM-Signature: v=1; a=rsa-sha256; d=esp-infrastructure.com; s=default; ...
SPF is checked against esp-infrastructure.com. The ESP has published an SPF record for that domain listing their sending IPs. SPF passes.
DKIM verifies the signature using esp-infrastructure.com's public key. It's valid. DKIM passes.
Now DMARC runs. The From domain is yourdomain.com. The SPF-authenticated domain is esp-infrastructure.com. The DKIM-authenticated domain is also esp-infrastructure.com. Neither authenticated domain matches the From domain.
DMARC fails.
Both SPF and DKIM "passed" in their own technical sense. DMARC sees nothing aligned and rejects the message (if you're at p=reject) or quarantines it.
DMARC has two alignment settings, one for SPF (aspf=) and one for DKIM (adkim=). Each can be set to strict (s) or relaxed (r).
Strict alignment means the authenticated domain must exactly match the From domain. yourdomain.com in the From, yourdomain.com in the DKIM d= tag. That's it.
Relaxed alignment means the authenticated domain must match the organisational domain of the From address. If the From is marketing@mail.yourdomain.com and the DKIM d= tag is yourdomain.com, that's a relaxed match — they share the same base domain. This is the default.
Most people never need strict mode. Relaxed is fine and handles subdomain-based sending elegantly. But the important thing is that either way, the authenticated domain must share the base domain with the From — and in our example above, esp-infrastructure.com and yourdomain.com don't share anything.
You have three options, in order of preference.
Every reputable ESP — SendGrid, Mailchimp, Mailgun, Postmark, AWS SES, you name it — supports configuring DKIM signing with your own domain as the d= tag. They give you one or two DNS records to publish, usually CNAMEs pointing to their infrastructure. Once those are live, the ESP starts signing outbound mail with d=yourdomain.com instead of d=theirdomain.com.
This is the correct fix. Do this. It's free, it takes 10 minutes, and it's explicitly supported by every ESP that doesn't actively hate you.
Send transactional mail from notify.yourdomain.com, marketing from email.yourdomain.com, and so on. Each subdomain gets its own SPF and DKIM configuration tailored to the specific ESP. The From header uses the subdomain. The organisational domain still matches for DMARC relaxed alignment.
This is also correct, and has the bonus of isolating deliverability reputation between different types of mail — if your marketing ESP gets into reputation trouble, it doesn't drag down your transactional mail.
Most ESPs also support configuring a custom Return-Path at your own domain (usually via a CNAME like bounces.yourdomain.com pointing at the ESP's bounce handling). This aligns SPF with your domain.
SPF alignment alone is usually enough for DMARC to pass — you only need one of SPF or DKIM to be aligned, not both. But DKIM alignment is more robust because SPF is frequently broken by forwarding (anyone who forwards your email to another address breaks SPF for the forwarded message). Rely on DKIM alignment as your primary; SPF alignment is belt-and-braces.
Google Groups and mailing lists. Discussion forums that resend posts. Any system that modifies an email and forwards it.
These systems often re-sign the forwarded message with their own DKIM key, which means the original DKIM signature is still intact but the forwarded copy also has a new signature from d=mailinglistprovider.com. For DMARC purposes only the original From domain matters, and that original domain's DKIM usually still validates if the message body wasn't modified.
But if the mailing list adds a [LISTNAME] tag to the subject, or appends an unsubscribe footer, it's modified the message — and the original DKIM signature no longer validates. SPF is already broken by the forwarding. You have no aligned authentication. DMARC fails.
There's a whole separate spec for this, called ARC (Authenticated Received Chain), which chains signatures across forwarders so the final receiver can tell the message was legitimately forwarded. Google, Microsoft, and most major providers implement ARC. Most mailing list software does not. If your DMARC reports show failures on messages that look like they went through a list, this is why.
The practical answer is: don't worry about it unless it's a meaningful percentage of your mail flow. Your own sending infrastructure is what matters for DMARC enforcement. Mailing lists and forwarders are an acceptable minority failure case.
Look at your DMARC aggregate reports. Every report entry shows:
d= domain from the signatureThe d= domain in the DKIM result and the envelope sender domain in the SPF result are the two things to check. If either matches your From domain (exactly for strict, organisationally for relaxed), you're aligned.
If your reports show a mess of ESP-domain DKIM signatures and ESP-domain envelope senders, you have an alignment problem that no amount of tuning your DMARC record will fix. You need to go back to each ESP and configure domain-aligned DKIM signing.
The free audit at dmarcsentinel.com doesn't parse live reports (that's the paid monitoring product) but it does identify several common alignment misconfigurations at the configuration level — multiple SPF records, DKIM selectors that exist but don't match the likely sending domain, and the general shape of your authentication setup. It's a good first-pass sanity check before you go deep on report analysis.
DMARC doesn't care if SPF and DKIM "passed." It cares if the domain that authenticated matches the domain in the From header. If you use third-party ESPs and haven't configured them to sign with your domain, your DMARC is failing no matter how perfectly your records are written. Fix it by configuring domain-aligned DKIM at every ESP, which is a supported feature on every ESP worth using and takes about 10 minutes each.
Jon Morby has run email and DNS infrastructure since the early 1990s. He built DMARC Sentinel after watching too many agencies discover their clients' email was going to spam the hard way.
Founded by Jon Morby, whose team has been running UK servers since 1992. Hosting built by engineers who care about deliverability and uptime.
Get in touch →In October 2023, Google and Yahoo jointly announced new requirements for anyone sending more than 5,000 emails a day to their users. The rules were to take effect in February 2024. They were, at the time, the biggest change to bulk email deliverability in more than a decade.
The standards break more domains than any other wingle thing in email authentication
11/15 of the top UK digital marketing agencies had no DMARC policy at all, three had p=none and only one had it right. If that's the state of the agency's email security, imagine how badly configured their clients are!