Blog article

  • 8 minutes read
Author Profile Picture
  • Kiara Saloojee
  • DMARC Enthusiast

DMARC Alignment Issues: How To Diagnose and Fix Them

Digital Red Alert

DMARC alignment issues overview:

  • A message can pass SPF and DKIM and still fail DMARC.
  • Most DMARC alignment issues are misconfigured legitimate senders, not attackers.
  • Always confirm alignment is passing before moving to p=quarantine or p=reject.
  • Alignment gaps reappear as your sending environment changes – monitoring is essential.

A DMARC alignment failure means the domains authenticated by SPF and DKIM don’t match the visible “From” domain. This page explains how to identify DMARC alignment issues and fix them.

Sendmarc shows you exactly which senders are failing alignment and why – so you can fix issues before moving to enforcement.

Book a demo

What a DMARC Alignment Failure Means

DMARC doesn’t just check whether SPF or DKIM passes. It also checks whether the authenticated domain aligns with the visible “From” domain – the address the recipient sees in their email client. This is called identifier alignment.

For a message to pass DMARC, at least one of the following must be true:

  1. The domain in the SPF-authenticated envelope sender matches the “From” domain.
  2. The domain in the DKIM signature’s d= tag matches the “From” domain.

A message can pass SPF and DKIM and still fail DMARC if neither ties back to the “From” domain in the header.

How To Identify DMARC Alignment Issues in Reports

DMARC aggregate reports (RUA) provide authentication results for all emails processed by receiving servers. They are delivered as XML files to the address specified in the rua= tag of your DMARC record.

Each report includes a breakdown for every sending source, showing the SPF result, DKIM result, and the policy applied. The fields to focus on are:

  • <spf> – Whether SPF passed or failed
  • <dkim> – Whether DKIM passed or failed
  • <disposition> – What action was taken on the message: p=none, p=quarantine, or p=reject
  • <source_ip> – The sending IP address – use this to identify which source generated the traffic

Look for sending sources with consistent alignment failures across multiple messages. Isolated failures may be transient. Recurring failures from the same source IP indicate a misconfigured sender that needs to be fixed before you move to enforcement.

Common Causes of DMARC Alignment Issues

Most DMARC alignment issues trace back to one of three configuration issues. Identifying the correct cause determines the fix.

  • Misconfigured SPF Record – The sending IP isn’t listed in the SPF record. This is common when a new third-party platform is added without updating the DNS.
  • Incorrect DKIM Signature – A sender isn’t signing outbound email with your domain’s DKIM key. The message may carry the provider’s own DKIM signature, which doesn’t align with your “From” domain.
  • Subdomain Confusion – Under strict mode, mail.example.com doesn’t align with example.com. If your sending infrastructure uses subdomains, strict alignment may cause failures.

How to Fix DMARC Alignment Issues

Work through these steps in order. Do not move your DMARC policy to p=quarantine or p=reject until you have confirmed that all legitimate senders are aligned.

  1. Identify the Failing Sender – Use DMARC aggregate reports to find the source IP generating alignment failures. Cross-reference the IP against your list of authorized sending services – CRMs, HR platforms, marketing tools, and transactional systems.
  2. Fix SPF Alignment – Confirm all sending IPs for the identified service are listed in your SPF DNS record. Add any missing IPs or include: mechanisms. Confirm the Return-Path domain matches your “From” domain, or shares the same organizational domain if you’re using relaxed alignment.
  3. Fix DKIM Alignment – Configure the sending service to sign outbound messages with your domain’s DKIM key, not the provider’s. This requires generating a DKIM key pair, publishing the public key in the DNS TXT record, and configuring the sending service to sign with the private key.
  4. Test Before Enforcing – DNS changes can take up to 48 hours to propagate. Once they have, verify the fix using DMARC aggregate reports or a DMARC record checker. Confirm the sender shows a passing DMARC result before moving your policy to p=quarantine or p=reject.

Moving to enforcement without confirming alignment will cause legitimate messages to be blocked or filtered. Repeat this process for each failing sender identified in your aggregate reports.

How Sendmarc Helps You with Alignment Failures

Fixing individual alignment issues is one part of email authentication. As your sending environment grows – with additional business units, SaaS tools, and regional platforms – alignment gaps will reappear without continuous monitoring and governance.

Sendmarc’s enterprise DMARC solution provides teams with:

  • DMARC Management – Track alignment status across all sending sources and domains. Manage policy progression systematically, with visibility into which senders are blocking a move to p=reject.
  • SPF Maintenance – Keep SPF records accurate and up to date as authorized senders are added or changed. Outdated or incomplete SPF records are a common source of alignment failures.
  • DKIM Support – Confirm signing keys are correctly deployed across all sending services. Identify senders signing with a provider domain instead of your own.
  • Centralized Visibility – Expose unauthorized senders across all domains and services before they break authentication or impersonate your company.

Sendmarc takes you from initial visibility to full enforcement, across all your domains.

Book a demo