How does ZeroHook verify my domain security?

ZeroHook performs a tiered security audit: 6 checklist checks on Free and 35 on paid tiers, covering DMARC, SPF, DKIM, DNSSEC, MX records, SSL/TLS certificates, CAA records, BIMI, email routing, and DNS configuration.

How long does a scan take?

Most scans complete in under 30 seconds with real-time progress updates.

What is NIS2 compliance?

NIS2 is the EU's Network and Information Security Directive. Our reports help identify DNS security gaps and provide audit-ready documentation.

Back to Blog

DMARC Alignment Failed, SPF Passed

dmarc alignment failed spf pass means the IP was authorized but the From: domain did not match. Fix envelope-from or DKIM, not SPF.

ZeroHook TeamJun 22, 2026~4 min read

Your mail gateway logs show spf=pass. The same message shows dmarc=fail (alignment). Gmail filed it in Spam anyway. An agency in Austin sent onboarding mail through HubSpot last month. HubSpot's domain health panel showed SPF verified. Every outbound message used [email protected] in the From: header. The SMTP envelope said clientdomain.com.hubspotemail.net. SPF passed for HubSpot's bounce infrastructure. DMARC alignment failed because the authenticated domain was not the same organizational domain as the From: address under relaxed alignment rules. That pattern, dmarc alignment failed spf pass, is the single most misunderstood deliverability failure we debug. Teams burn hours adding SPF includes when the record was already fine. The failure is alignment, not authorization.

SPF Pass vs. DMARC Alignment Pass

Two different questions

SPF asks: is this sending IP allowed to use this envelope domain?

DMARC asks: does the authenticated domain (from SPF or DKIM) align with the domain in the From: header that recipients see?

You can answer yes to the first and no to the second on the same message. That is not a contradiction. It is how ESP relay mail works out of the box.

What "alignment failed" means in headers

In Gmail's Authentication-Results you will often see:

spf=pass (google.com: domain of bounce.mailchimp.com designates ...)
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com

The parenthetical after dmarc=fail usually says alignment, not invalid DNS. Your DMARC record can be perfect. The domains still did not match.

Warning

Do not add more SPF includes to fix alignment. Extra includes do not change which domain SPF authenticates. They only authorize more senders on the domain in the envelope.

Fix DMARC Alignment (Three Paths)

Open a delivered or spam-foldered copy in Gmail → Show original → Authentication-Results. Confirm spf=pass and dmarc=fail. Note which domain SPF authenticated (look for "domain of ... designates") and compare to header.from=.

Path A, SPF alignment: enable custom return path / authenticated domain in your ESP so MAIL FROM uses your domain (e.g. [email protected] or a subdomain you control). In Mailchimp: Domains → Authenticate → verify CNAME for DKIM and MAIL FROM. In SendGrid: Sender Authentication → domain authentication. Re-test until SPF authenticates yourdomain.com, not the ESP default.

Path B, DKIM alignment (often easier): enable DKIM signing on your domain in the ESP. Publish the selector CNAME or TXT at your DNS host (Cloudflare, GoDaddy, Route53). When dkim=pass aligns with header.from=, DMARC can pass even if envelope-from stays on the ESP bounce domain.

Publish or verify DMARC with relaxed alignment while debugging:

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r

Send a fresh test. Target: spf=pass or dkim=pass, plus dmarc=pass. If both SPF and DKIM pass but dmarc still fails, check for From: domain typos, parent vs. subdomain mismatches under strict alignment (aspf=s or adkim=s in your DMARC record).

Frequently Asked Questions

Can I fix alignment by changing SPF to ~all?

No.

HubSpot says my domain is connected. Why does dmarc still fail?

"Connected" often means tracking domain or partial DNS verification, not aligned DKIM plus envelope-from on every mail stream. Check whether marketing mail, transactional mail, and workflow mail use the same authenticated sending domain. We've seen teams fix campaigns but leave automated sequences on the default HubSpot bounce domain.

Is DKIM or SPF alignment better for ESP mail?

DKIM alignment is usually less painful because you do not have to move MAIL FROM off the ESP infrastructure. Publish the DKIM key, enable signing, confirm dkim=pass on header.from=. Many teams run both for redundancy.

Key takeaways

dmarc alignment failed spf pass means SPF validated one domain and From: showed another. The SPF record is not necessarily wrong.

Fix envelope-from (SPF alignment) or enable DKIM signing (DKIM alignment). Pick one path, test, then add the other.

Read Authentication-Results before editing DNS. The failing domain names are in the header, not your ESP summary dashboard.

Use relaxed alignment (adkim=r, aspf=r) while debugging, then tighten policy after aggregate reports look clean.

See which domain SPF, DKIM, and DMARC think you are sending from at zerohook.org/dns-visualizer before you add another useless include to your TXT record.

Share this analysis

Help others discover this content

About the author

ZeroHook Team

Security Analysts

The ZeroHook Team breaks down DMARC alignment failures we see in production audits. Copy-paste fixes included where possible.

Fix DNS before the next audit

Provider-specific copy-paste fixes for Cloudflare, Route53, GoDaddy, and more.

Start free scan

Product

Solutions

Resources

Company