DMARC alignment failed — SPF passed
When SPF passes but DMARC fails, the authenticated domain (envelope-from for SPF or d= for DKIM) does not align with the header From domain under your DMARC policy (strict or relaxed). Receivers treat the message as unauthenticated for DMARC purposes.
Quick fix (3 steps)
- 1
Inspect Authentication-Results on a failing message: note whether SPF or DKIM passed and which domains were checked.
- 2
Align envelope-from with your From domain (custom bounce domain on ESP/M365) or enable DKIM signing where d= matches the From domain.
- 3
Verify your DMARC record uses the correct adkim/aspf mode; start with relaxed alignment during rollout if multiple subdomains send mail.
Common questions
Why does SPF pass but DMARC fail?+
SPF validates the envelope-from (Return-Path), while DMARC requires that domain — or the DKIM d= domain — to align with the visible From header domain.
Does relaxed alignment help?+
Relaxed alignment (default) allows organizational domain matches (e.g., mail.example.com aligns with example.com). Strict requires exact subdomain matches.
Which fix is faster — SPF or DKIM alignment?+
For ESP relay mail, custom DKIM signing often fixes alignment fastest. For M365/Google, ensure the primary domain signs and envelope-from matches.