DMARC Alignment: What It Is and Why Authentication Fails Without It

DMARC alignment is the check that connects the domain visible in a message's From header to the domains verified by SPF and DKIM. SPF and DKIM can both pass on their own, yet the message still fails DMARC if neither authenticated domain matches the From domain. Alignment is the mechanism that closes that gap.

The problem alignment solves

SPF validates the domain in the Return-Path (envelope sender). DKIM validates the domain in the d= tag of the signature. Neither one cares about the From header that the recipient actually sees. An attacker can pass SPF using their own domain in the Return-Path, pass DKIM by signing with their own key, and still forge your domain in the From field. Without alignment, the recipient's mail server has no reason to object.

DMARC fixes this by requiring at least one of the two protocols to authenticate a domain that matches the From header. That match is alignment.

SPF alignment

SPF alignment compares the domain in the Return-Path with the domain in the From header. If the From header shows newsletter@example.com and the Return-Path is bounces@example.com, both share the domain example.com. SPF alignment passes.

If the Return-Path is bounces@esp-provider.com while the From header says newsletter@example.com, the domains differ. SPF alignment fails. This is the most common alignment failure in practice, because many ESPs use their own domain in the Return-Path by default.

DKIM alignment

DKIM alignment compares the domain in the d= tag of the DKIM signature with the domain in the From header. If the DKIM signature uses d=example.com and the From says newsletter@example.com, alignment passes.

A message can carry multiple DKIM signatures. DMARC needs only one of them to align with the From domain. If your ESP signs with both d=esp-provider.com and d=example.com, the second signature provides alignment even though the first does not.

Relaxed vs. strict mode

DMARC supports two alignment modes. In relaxed mode (the default), the organizational domains must match. That means mail.example.com aligns with example.com, because both share the same organizational domain.

In strict mode, the domains must match exactly. mail.example.com does not align with example.com under strict alignment. The DMARC record controls this with the aspf tag for SPF and adkim tag for DKIM. Both default to r (relaxed).

Most organizations stay on relaxed mode. Strict mode is useful when you want to prevent subdomains from being used in spoofing attempts, but it requires every sending source to match the exact From domain in its Return-Path or DKIM signature.

How DMARC evaluates the result

DMARC passes if at least one of two conditions is true: SPF passes and SPF alignment passes, or DKIM passes and DKIM alignment passes. Both conditions are checked independently. If SPF passes but its alignment fails, SPF contributes nothing to the DMARC result. The same logic applies to DKIM.

In practice this means you need at least one fully aligned authentication method. Many senders rely on DKIM alignment because DKIM signatures survive forwarding, while SPF often breaks when a message is relayed through an intermediate server.

Common alignment failures

ESP uses its own Return-Path domain. You send through an ESP, and the Return-Path shows bounce.esp.com instead of your domain. SPF passes for the ESP domain, but SPF alignment fails because the From header contains your domain. Fix: configure a custom Return-Path domain (sometimes called "envelope domain" or "bounce domain") that matches your From domain.

DKIM signed with ESP domain only. The ESP signs messages with its own d= domain and does not add a signature for your domain. DKIM passes but alignment fails. Fix: set up DKIM signing with your own domain in the ESP settings. This usually involves adding a CNAME record to your DNS.

Forwarding breaks SPF. When a message is forwarded (mailing list, alias, auto-forward), the forwarding server's IP is not in your SPF record. SPF fails entirely. If DKIM was also not aligned, DMARC fails. Fix: ensure DKIM alignment is in place. DKIM signatures persist through forwarding as long as the message body and signed headers remain intact.

Subdomain mismatch under strict mode. Your DMARC record specifies adkim=s, your From header uses news.example.com, but the DKIM d= tag says example.com. Under relaxed mode this would pass; under strict, it fails. Fix: either switch to relaxed mode or ensure the DKIM signing domain exactly matches the From domain.

How to check alignment

DMARC aggregate reports (rua) are the primary source. These XML reports, sent daily by receiving mail servers, show each message's SPF and DKIM results along with alignment status. Parsing raw XML is tedious, so most teams use a report analyzer (Postmark DMARC, dmarcian, Valimail, or similar).

For individual messages, check the Authentication-Results header. It shows the DMARC verdict along with SPF and DKIM pass/fail. Gmail, for example, includes a line like dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com. If it says dmarc=fail, alignment is the first thing to investigate.

Practical recommendations

• Set up DKIM signing with your own domain for every service that sends on your behalf. DKIM alignment is the most reliable path to DMARC compliance.
• Configure a custom Return-Path domain on your ESP to achieve SPF alignment as a secondary mechanism.
• Start with p=none and monitor aggregate reports. Move to p=quarantine and then p=reject only after all legitimate sources pass alignment.
• Keep relaxed alignment unless you have a specific reason to use strict. Relaxed covers subdomains and avoids unnecessary failures.
• Audit all sending sources periodically. A new tool or service added by another team can break alignment if not configured properly.

DMARC alignment: что это и зачем нужно

DMARC alignment (выравнивание) - механизм, который связывает домен в заголовке From письма с доменами, проверенными через SPF и DKIM. SPF и DKIM могут пройти проверку, но если ни один из аутентифицированных доменов не совпадает с доменом из From, DMARC всё равно проваливается.

Как работает выравнивание

SPF проверяет домен из Return-Path (конвертный отправитель). DKIM проверяет домен из тега d= в подписи. Ни один из этих протоколов не смотрит на заголовок From, который видит получатель. Атакующий может пройти SPF со своим доменом в Return-Path, подписать DKIM своим ключом, а в From поставить ваш домен. DMARC alignment это предотвращает: он требует, чтобы хотя бы один протокол подтверждал домен, совпадающий с From.

Режимы: relaxed и strict

В режиме relaxed (по умолчанию) достаточно совпадения организационных доменов: mail.example.com выравнивается с example.com. В режиме strict требуется точное совпадение - поддомен не пройдёт.

Управляется тегами в DMARC-записи: aspf=r|s для SPF и adkim=r|s для DKIM. Большинство организаций используют relaxed - это покрывает поддомены и снижает риск ложных срабатываний.

Типичные проблемы с выравниванием

ESP использует свой домен в Return-Path. Вы отправляете через сервис рассылок, в Return-Path стоит домен сервиса, а в From - ваш. SPF alignment не пройдёт. Решение: настройте кастомный bounce-домен на вашем домене.

DKIM подписан доменом ESP. Сервис подписывает письма своим ключом, в d= стоит его домен. DKIM пройдёт, но alignment нет. Решение: добавьте DKIM-подпись с вашим доменом через CNAME в DNS.

Пересылка писем. При пересылке через мейлинг-листы или автоперенаправление SPF ломается (IP пересылающего сервера не в вашей SPF-записи). Если DKIM-подпись тоже не выравнена, DMARC проваливается. Решение: полагайтесь на DKIM alignment как основной метод.

Как проверить alignment

Агрегированные отчёты DMARC (rua) показывают результаты проверки SPF, DKIM и alignment для каждого источника. Для анализа отдельных писем смотрите заголовок Authentication-Results. Если DMARC=fail - в первую очередь проверьте, какой домен стоит в Return-Path и в DKIM d=, и совпадают ли они с From.