sfw/fix
DMARC misalignment high

DMARC Fails Even Though SPF/DKIM Pass (Alignment Failure)

SPF and DKIM pass on the ESP's own domain but neither aligns with your visible From:, so DMARC fails.

What you see

Authentication-Results: mx.google.com;
 dkim=pass header.d=esp-mail.com;
 spf=pass smtp.mailfrom=bounces.esp-mail.com;
 dmarc=fail (p=NONE) header.from=example.com

What’s actually happening

This one confuses everyone the first time. Both SPF and DKIM show pass, yet dmarc=fail sits right under them. The reason is alignment: DMARC doesn't care that SPF/DKIM passed in the abstract — it checks whether the domain they passed for matches the From: domain the recipient sees. Mail blasted through an ESP often authenticates on the ESP's domain (header.d=esp-mail.com, smtp.mailfrom=bounces.esp-mail.com) while your From: is example.com. No match, no alignment, DMARC fails — and if your policy is p=quarantine or p=reject, the mail gets junked or bounced.

Common causes

  • The Return-Path / envelope sender is the ESP's bounce domain (bounces.esp-mail.com), so SPF passes for the ESP, not for you — that's SPF misalignment.
  • DKIM is signed with d=esp-mail.com instead of d=example.com, so DKIM passes but doesn't align with your From:.
  • You set up an ESP and never configured the custom/authenticated domain that aligns sending to your own domain.
  • DMARC requires only one of SPF or DKIM to align, and in this setup neither does.
  • Strict alignment mode (aspf=s / adkim=s) where a subdomain mismatch (mail.example.com vs example.com) breaks an otherwise-close match.

How to fix it

  1. Read the alignment, not just the pass/failIn the failing message compare three things: header.from (your From: domain), smtp.mailfrom (SPF domain), and header.d (DKIM domain). DMARC passes only if smtp.mailfrom OR header.d matches header.from. If both show the ESP's domain, that's your root cause.
  2. Align DKIM by signing with your domainIn the ESP, enable domain authentication / DKIM for example.com — they'll give you CNAME or TXT records to publish. Once outgoing mail is signed d=example.com, DKIM aligns with your From: and DMARC passes on the DKIM side. This is the most reliable fix because DKIM survives forwarding.
  3. Align SPF via a custom Return-PathSet the ESP's bounce/Return-Path to a subdomain of yours (e.g. bounce.example.com) and publish the SPF record they require there. Now smtp.mailfrom is under example.com and SPF aligns. Relaxed alignment (the default) accepts the subdomain matching the org domain.
  4. Verify with a real send before touching policySend through the ESP to a Gmail inbox, open 'Show original,' and confirm dmarc=pass. Do this while your policy is still p=none so you're not bouncing live mail during the fix.
  5. Use DMARC aggregate reports to catch other sourcesPoint rua= at a mailbox or a DMARC report parser. The XML reports list every sending source and whether it aligned, so you find the other tools failing DMARC that you forgot about before you raise the policy to quarantine or reject.

Stop it recurring

For every ESP, configure domain authentication so DKIM signs as your domain and the Return-Path is a subdomain of yours, then confirm alignment before enforcing a p=quarantine/reject policy.

Related errors

SPF SoftFail (~all) — Mail Marked Suspicious

medium

The sending IP isn't in your SPF record, so ~all returns SoftFail — accepted but pushed toward spam.

DKIM permerror (no key for signature)

high

A DKIM signature is present but the receiver can't fetch a usable public key at the selector, so the check errors out.

SPF PermError — Multiple SPF Records on One Domain

high

Two v=spf1 TXT records on one domain is invalid, so receivers return PermError and SPF fails on every message.

Gmail 550-5.7.1 Message Blocked as Likely Unsolicited Mail

high

Gmail's spam filter judged the message likely unsolicited and blocked it on reputation or content grounds.