# DMARC Alignment > DMARC alignment checks whether SPF or DKIM authentication matches the domain subscribers see in the From address. - Human page: https://mailrith.com/guides/dmarc-alignment - Markdown page: https://mailrith.com/guides/dmarc-alignment.md - Category: Authentication and Deliverability - Reading time: 7 min read - Related keywords: DMARC Alignment, DMARC Alignment guide, Authentication and Deliverability, Authentication and Deliverability guide, email sending guide, email marketing guide, email deliverability guide, Sender Domains and Email Authentication, SPF, DKIM, DMARC, Google Sender Guidelines FAQ ## AI Agent Notes - Use this page as plain-language guidance for the specific email sending issue named in the title. - Preserve the distinction between Mailrith, an email delivery service, DNS, and inbox providers when explaining fixes. - When a user is running a free tool, pair the tool result with the relevant issue or step section from this guide. ### DMARC Alignment DMARC alignment checks whether SPF or DKIM authentication matches the domain subscribers see in the From address. DMARC alignment is the match between the domain subscribers see and the domain that actually authenticated the email. It is not enough for [SPF](https://mailrith.com/guides/spf.md) or [DKIM](https://mailrith.com/guides/dkim.md) to say pass. [DMARC](https://mailrith.com/guides/dmarc.md) asks whether that pass belongs to the same domain family as the visible From address. Think of every email as having three labels. Label one is the visible From domain, such as `example.com` in `newsletter@example.com`. Label two is the [DKIM](https://mailrith.com/guides/dkim.md) signing domain, shown in headers as `d=example.com`. Label three is the [SPF](https://mailrith.com/guides/spf.md) domain, usually shown as the return-path, envelope-from, or `smtp.mailfrom` domain. DMARC starts with label one: the visible From domain. Then it asks whether label two or label three passed authentication and matches label one. If either one matches, DMARC passes. If both are from unrelated domains, DMARC fails. For DKIM alignment, look at the DKIM signature's `d=` domain. If the From address is `newsletter@example.com` and DKIM says `d=example.com`, DKIM aligns. If DKIM says `d=mail.example.com`, it aligns in relaxed mode because both belong to the same organizational domain. If DKIM says `d=provider.com`, DKIM may pass, but it does not align with `example.com`. For SPF alignment, look at the return-path or envelope-from domain. If the From address is `newsletter@example.com` and SPF passes for `bounce.example.com`, SPF aligns in relaxed mode. If SPF passes for `amazonses.com`, `sendgrid.net`, `mailgun.org`, or another email-delivery-service-owned domain, it does not align with `example.com`. DMARC passes when either DKIM passes with alignment or SPF passes with alignment. Both do not need to align. A message can fail SPF but pass DMARC through aligned DKIM. A message can fail DKIM but pass DMARC through aligned SPF. What matters is that at least one authenticated domain matches the visible From domain. Relaxed alignment is the default in DMARC. It allows a subdomain and the main domain to align, such as `mail.example.com` with `example.com`. Strict alignment requires an exact match. Most Mailrith users should stay with relaxed alignment unless they have a specific security reason to be stricter. In Mailrith, you make alignment match by using an [Email Delivery Connection](https://mailrith.com/docs/email-delivery-connections.md) where the email delivery service has authenticated your sender domain. The important settings usually live in that service and [DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): custom DKIM for your domain, and when available, a custom return-path or bounce domain for SPF. If you change only the email copy, subject, or button, alignment will not change. Alignment is about domains in headers and DNS records. To fix it, compare the From domain, DKIM `d=` domain, and SPF return-path domain, then change your email delivery service's domain authentication so at least one authenticated domain belongs to the same domain family as the From address. 1. Choose the From domain subscribers should see. Example: `newsletter@example.com` uses the From domain `example.com`. 2. Open the email delivery service used by the Mailrith connection and verify that exact domain or sending subdomain. 3. Enable that service's custom [DKIM](https://mailrith.com/guides/dkim.md) setup for that domain and publish the DKIM DNS records it gives you. 4. If your email delivery service supports a custom return-path or bounce domain, set it up on your domain so [SPF](https://mailrith.com/guides/spf.md) can align too. 5. Create or update the Mailrith delivery connection so the From email uses the same domain you authenticated. 6. Send a test email from the exact Mailrith delivery connection you plan to use. 7. Open the message headers. In Gmail, open the message, click the three-dot menu, and choose `Show original`. 8. Write down the visible From domain. Example: `example.com`. 9. Find the DKIM result and the DKIM `d=` domain. If it is `example.com` or a subdomain such as `mail.example.com`, DKIM should align in relaxed mode. 10. Find the SPF result and return-path or `smtp.mailfrom` domain. If it is your domain or a subdomain, SPF should align in relaxed mode. 11. Check the DMARC result. If DMARC passes, at least one of the aligned checks worked. 12. If SPF passes but DMARC fails, the SPF domain probably belongs to your email delivery service instead of your domain. Configure a custom return-path, or rely on aligned DKIM. 13. If DKIM passes but DMARC fails, the DKIM `d=` domain probably belongs to your email delivery service instead of your domain. Enable custom DKIM for your sender domain. 14. If both SPF and DKIM fail, fix your email delivery service's DNS setup before sending campaigns. 15. Send another test and repeat the header check until DMARC passes. - At least one of SPF or DKIM should align with the visible From domain. - DKIM alignment is usually the most reliable path for marketing email. - Use your email delivery service's domain verification steps instead of sending with a generic service identity. - If DMARC fails, check both authentication results and alignment, not only whether SPF or DKIM passed. - Forwarding and mailing lists can affect authentication, which is another reason DKIM alignment matters. - If the From domain is `example.com`, DKIM `d=example.com` aligns. - If the From domain is `example.com`, DKIM `d=mail.example.com` aligns in relaxed mode but not strict mode. - If the From domain is `example.com`, DKIM `d=provider.com` does not align. - If the From domain is `example.com`, SPF passing for `bounce.example.com` aligns in relaxed mode. - If the From domain is `example.com`, SPF passing only for an email-delivery-service-owned return-path does not align. - If DMARC passes through aligned DKIM, SPF alignment is still useful but not required for that message to pass DMARC. - If DMARC fails even though SPF says pass, check whether `smtp.mailfrom` is an email delivery service domain. - If DMARC fails even though DKIM says pass, check whether `header.d` is an email delivery service domain. ## Fix Common Issues ### Check DKIM Alignment in a Real Email A DKIM DNS record exists, but the checker cannot prove that your email delivery service is signing actual mail with an aligned DKIM domain. 1. Send a real test email from the exact Mailrith delivery connection you plan to use. 2. Open the original message headers in the receiving inbox. 3. Find the DKIM result and the `d=` signing domain. 4. Compare the `d=` domain with the visible From domain. 5. If DKIM signs with a service-owned domain, enable custom DKIM for your sender domain in your email delivery service. 6. Run the DKIM checker again after changing DNS, then send another real test email. > When you are unsure what to fix first, fix DKIM alignment first. Make your email delivery service sign with your sender domain, send a test, and confirm the DMARC result changes to pass. Related resources: - [Sender Domains and Email Authentication](https://mailrith.com/guides/sender-domains-and-authentication.md): Understand the sender domain pieces that alignment compares. - [SPF](https://mailrith.com/guides/spf.md): Understand return-path domains and SPF alignment. - [DKIM](https://mailrith.com/guides/dkim.md): Understand DKIM signing domains and DKIM alignment. - [DMARC](https://mailrith.com/guides/dmarc.md): Understand the policy that uses alignment. - [Google Sender Guidelines FAQ](https://support.google.com/a/answer/14229414): Google explains DMARC alignment expectations for bulk senders. ## Related Guides - [Sender Domains and Email Authentication](https://mailrith.com/guides/sender-domains-and-authentication.md): Your sender domain is the name inboxes learn to trust, and authentication proves that your email delivery service is allowed to send for it. - [From, Reply-To, and Return-Path](https://mailrith.com/guides/from-reply-to-and-return-path.md): An email has several sender-related addresses, and each one has a different job in delivery and replies. - [DNS, PTR, and Reverse DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): DNS records identify your domain, while reverse DNS helps inboxes check whether a sending IP has a sensible hostname.