Troubleshooting DMARC alignment failures
Symptom-by-symptom diagnosis for SPF passes but DMARC fails, DKIM passes but DMARC fails, and related alignment problems.
DMARC alignment failures appear in your reports as records where SPF or DKIM passed authentication, but the DMARC result is still a failure. This happens when authentication passes for the wrong domain — one that doesn't match the From: header. Work through the symptom that matches what you're seeing.
SPF passes but DMARC fails
SPF authenticated the sending IP, but the envelope sender domain doesn't match your From: domain.
Check the envelope sender. The envelope sender (MAIL FROM / Return-Path) is what SPF evaluates. If your ESP sets the Return-Path to its own domain (for example, bounces.sendgrid.net instead of a subdomain of yours), SPF passes for the ESP's domain, not yours. This is a common default for many ESPs before custom Return-Path configuration.
Fix: configure a custom Return-Path. Most ESPs support a custom Return-Path or MAIL FROM domain that uses a subdomain of your own domain. Under relaxed SPF alignment (aspf=r, the default), mail.yourdomain.com matches yourdomain.com. See the vendor-specific setup guides for instructions.
If using strict alignment (aspf=s), the Return-Path domain must match the From: domain exactly. Subdomains won't pass. Relaxed mode is almost always correct for SPF.
DKIM passes but DMARC fails
DKIM signature validation succeeded, but the d= domain in the signature doesn't match your From: domain.
Check the d= value in the DKIM signature. If your ESP signs mail with their own domain (for example, d=sendgrid.net), DKIM passes for sendgrid.net, not your domain. This alignment failure is solved by enabling custom DKIM on your own domain through the ESP.
Check CNAME records for DKIM. Some ESPs use CNAME-based DKIM where your DNS CNAMEs point to their infrastructure. If those CNAMEs aren't published or aren't verified, the ESP may fall back to signing with their default domain or not signing at all.
If using strict DKIM alignment (adkim=s), the d= domain must match the From: header domain exactly. A signature with d=mail.yourdomain.com won't match From: user@yourdomain.com under strict mode. Under relaxed mode (the default), they match because both share the organizational domain yourdomain.com.
Both SPF and DKIM fail alignment
Neither the Return-Path domain nor the DKIM signing domain matches your From: domain.
Check that your sending service is configured. This usually means the service hasn't completed DKIM or Return-Path setup for your domain. The service is sending as your domain in the From: header but hasn't been authorized to do so through proper authentication.
Check that you're looking at the right service. The aggregate report records show the sending IP. Look up the IP to identify which service sent the message, then review that service's DMARC configuration.
Check for subdomain senders. If mail is going out from alerts.yourdomain.com but your DMARC record is at yourdomain.com, the subdomain inherits the p= policy but the alignment check uses the exact From: header domain. Make sure DKIM is configured for that subdomain specifically if your sending service supports it.
Alignment failures only for forwarded mail
Mail forwarded through a mailing list or relay often breaks SPF alignment because the forwarding server rewrites the Return-Path. DKIM may also fail if the forwarder modifies the message.
This is expected behavior for forwarded mail and isn't a misconfiguration on your part. Aggregate reports don't identify individual messages, so you can't distinguish forwarded mail from other failures directly in the report data. However, if failures are coming from a single source (for example, a mailing list IP range), and you recognize that source as a forwarding service, the failures are likely from forwarding rather than misconfiguration.
The practical implication: before moving to p=quarantine or p=reject, review your reports for legitimate forwarding sources. A small percentage of persistent failures from known mailing list infrastructure is normal and generally acceptable.
Alignment was passing and stopped
See DMARC alignment regression for diagnosis when alignment failures increase over time.
See also: SPF alignment: how the envelope sender matches the From header. DKIM alignment: how the DKIM signing domain matches the From header. Relaxed vs strict alignment: when subdomain matching applies.
API reference
Complete reference for the DMARCdrift read-only API: authentication, endpoints, response shapes, rate limits, and example requests.
What to do when DMARCdrift detects an unknown sender
How to review an unknown source, identify the sending service, and decide if it's expected, misconfigured, or spoofing.