Domain alignment — the invisible check
SPF and DKIM can both pass while DMARC fails. Welcome to the alignment trap, where the From: header and the auth domains have to match.
Email has multiple "from" fields. The SMTP envelope sender (Mail-From / Return-Path), the DKIM d= tag, and the From: header that the user actually sees. DMARC requires the visible From: header to align with one of the auth domains. If they disagree, both SPF and DKIM can pass and DMARC still fails.
The three "from" fields
- Envelope-From (Return-Path) — used by SPF. Receivers bounce to this address. Often a vendor-rotated address.
- DKIM d= — the domain whose key signed the message. Set by the sending platform.
- From: header — the visible sender. The only address users see.
Strict vs relaxed alignment
- Strict (s) — domain must match exactly. acme.dev vs send.acme.dev fails.
- Relaxed (r, default) — same organisational domain matches. acme.dev vs send.acme.dev passes.
Use relaxed unless you have a specific reason to enforce strict — almost no one does.
How alignment fails
The most common failure: a third-party sender (CRM, support tool, transactional vendor) signs with their own DKIM domain (d=mailgun.org) and bounces to their own envelope (postmaster@mailgun.org). The From: header still says you@acme.dev. Both SPF and DKIM pass — but neither aligns with acme.dev. DMARC fails.
How to fix it
- Configure the vendor to bounce to a custom Return-Path on your domain (most vendors call this "custom envelope" or "branded sending").
- Configure the vendor to sign DKIM with your domain, not theirs (custom DKIM selector pointing to a CNAME on your DNS).
- Either of those alone produces alignment on at least one auth method, which is enough for DMARC to pass.