# DMARC Alignment



> DMARC alignment checks whether SPF or DKIM authentication uses the same domain family as the domain subscribers see in the From address.



- Human page: https://mailrith.com/guides/dmarc-alignment

- Markdown page: https://mailrith.com/guides/dmarc-alignment.md

- Category: Authentication and Deliverability

- Reading time: 7 min read

- Related keywords: DMARC Alignment, DMARC Alignment guide, Authentication and Deliverability, Authentication and Deliverability guide, email sending guide, email marketing guide, email deliverability guide, Sender Domains and Email Authentication, SPF, DKIM, DMARC, Google Sender Guidelines FAQ



## AI Agent Notes

- Use this page as plain-language guidance for the specific email sending issue named in the title.

- Preserve the distinction between Mailrith, an email delivery service, DNS, and inbox providers when explaining fixes.

- When a user is running a Mailrith free tool, pair that specific free-tool result with the relevant issue or step section from this guide.



### DMARC Alignment

DMARC alignment checks whether SPF or DKIM authentication uses the same domain family as the domain subscribers see in the From address.

DMARC alignment compares the domain subscribers see in the From address with the domain that authenticated the email. A pass from [SPF](https://mailrith.com/guides/spf.md) or [DKIM](https://mailrith.com/guides/dkim.md) is not enough by itself. [DMARC](https://mailrith.com/guides/dmarc.md) checks whether that pass belongs to the same domain family as the visible From address.

Think of each email as having three domain labels. Label one is the visible From domain, such as `example.com` in `newsletter@example.com`. Label two is the [DKIM](https://mailrith.com/guides/dkim.md) signing domain, shown in headers as `d=example.com`. Label three is the [SPF](https://mailrith.com/guides/spf.md) domain, usually shown as the return-path, envelope-from, or `smtp.mailfrom` domain.

DMARC starts with label one: the visible From domain. Then DMARC checks whether label two or label three passed authentication and matches label one. If either authenticated domain matches, DMARC passes. If both authenticated domains are unrelated to the visible From domain, DMARC fails.

For DKIM alignment, check the DKIM signature's `d=` domain. If the From address is `newsletter@example.com` and DKIM says `d=example.com`, DKIM aligns. If DKIM says `d=mail.example.com`, DKIM aligns in relaxed mode because both domains belong to the same organizational domain. If DKIM says `d=provider.com`, DKIM may pass authentication, but it does not align with `example.com`.

For SPF alignment, check the return-path or envelope-from domain. If the From address is `newsletter@example.com` and SPF passes for `bounce.example.com`, SPF aligns in relaxed mode. If SPF passes for `amazonses.com`, `sendgrid.net`, `mailgun.org`, or another email-delivery-service-owned domain, SPF does not align with `example.com`.

DMARC passes when either DKIM passes with alignment or SPF passes with alignment. Both authentication methods do not need to align. A message can fail SPF but pass DMARC through aligned DKIM. A message can fail DKIM but pass DMARC through aligned SPF. DMARC only needs at least one authenticated domain to match the visible From domain.

Relaxed alignment is the default in DMARC. Relaxed alignment lets a subdomain and the main domain align, such as `mail.example.com` with `example.com`. Strict alignment requires an exact domain match. Most Mailrith users should keep relaxed alignment unless they have a specific security reason to require strict alignment.

In Mailrith, you get alignment by using an [Email Delivery Connection](https://mailrith.com/docs/email-delivery-connections.md) where the email delivery service has authenticated your sender domain. The required settings usually live in the email delivery service and [DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): custom DKIM for your domain, and when supported, a custom return-path or bounce domain for SPF.

Changing only the email copy, subject, or button will not change alignment. Alignment depends on domains in message headers and DNS records. To fix alignment, compare the From domain, DKIM `d=` domain, and SPF return-path domain. Then update your email delivery service's domain authentication so at least one authenticated domain belongs to the same domain family as the From address.

1. Choose the From domain subscribers should see. Example: `newsletter@example.com` uses the From domain `example.com`.
2. Open the email delivery service used by the Mailrith connection, then verify the exact domain or sending subdomain you chose.
3. Enable that service's custom [DKIM](https://mailrith.com/guides/dkim.md) setup for your domain, then publish the DKIM DNS records the service gives you.
4. If your email delivery service supports a custom return-path or bounce domain, set it up on your domain so [SPF](https://mailrith.com/guides/spf.md) can align too.
5. Create or update the Mailrith delivery connection so the From email uses the same domain you authenticated.
6. Send a test email from the exact Mailrith delivery connection you plan to use.
7. Open the message headers. In Gmail, open the message, click the three-dot menu, and choose `Show original`.
8. Write down the visible From domain. Example: `example.com`.
9. Find the DKIM result and the DKIM `d=` domain. If it is `example.com` or a subdomain such as `mail.example.com`, DKIM should align in relaxed mode.
10. Find the SPF result and the return-path or `smtp.mailfrom` domain. SPF should align in relaxed mode when that domain is your domain or a subdomain of your domain.
11. Check the DMARC result. A DMARC pass means at least one authentication method passed and aligned with the visible From domain.
12. If SPF passes but DMARC fails, the SPF domain probably belongs to your email delivery service instead of your domain. Configure a custom return-path, or rely on aligned DKIM.
13. If DKIM passes but DMARC fails, the DKIM `d=` domain probably belongs to your email delivery service instead of your domain. Enable custom DKIM for your sender domain.
14. If both SPF and DKIM fail, fix your email delivery service's DNS setup before you send campaigns.
15. Send another test email and repeat the header check until the DMARC result is pass.

- At least one of SPF or DKIM should align with the visible From domain.
- DKIM alignment is usually the most reliable option for marketing email.
- Use your email delivery service's domain verification steps instead of sending with a generic service identity.
- If DMARC fails, check both the authentication results and the alignment results. Do not check only whether SPF or DKIM passed.
- Forwarding and mailing lists can affect authentication, so DKIM alignment is important.
- If the From domain is `example.com`, DKIM `d=example.com` aligns.
- If the From domain is `example.com`, DKIM `d=mail.example.com` aligns in relaxed mode but not strict mode.
- If the From domain is `example.com`, DKIM `d=provider.com` does not align.
- If the From domain is `example.com`, SPF passing for `bounce.example.com` aligns in relaxed mode.
- If the From domain is `example.com`, SPF passing only for an email-delivery-service-owned return-path does not align.
- If DMARC passes through aligned DKIM, SPF alignment is useful but not required for that message to pass DMARC.
- If DMARC fails even though SPF says pass, check whether `smtp.mailfrom` is an email delivery service domain.
- If DMARC fails even though DKIM says pass, check whether `header.d` is an email delivery service domain.

## Fix Common Issues
### Check DKIM Alignment in a Real Email

A DKIM DNS record exists, but the DKIM checker cannot confirm that your email delivery service signs real email with an aligned DKIM domain.

1. Send a real test email from the exact Mailrith delivery connection you plan to use.
2. Open the original message headers in the receiving inbox.
3. Find the DKIM result and the `d=` signing domain.
4. Compare the `d=` domain with the visible From domain.
5. If DKIM signs with a service-owned domain, enable custom DKIM for your sender domain in your email delivery service.
6. After changing DNS, run the DKIM checker again, then send another real test email.

> When you are not sure what to fix first, fix DKIM alignment first. Make your email delivery service sign with your sender domain, send a test email, and confirm the DMARC result changes to pass.

Related resources:
- [Sender Domains and Email Authentication](https://mailrith.com/guides/sender-domains-and-authentication.md): Understand the sender domain parts that alignment compares.
- [SPF](https://mailrith.com/guides/spf.md): Understand return-path domains and SPF alignment.
- [DKIM](https://mailrith.com/guides/dkim.md): Understand DKIM signing domains and DKIM alignment.
- [DMARC](https://mailrith.com/guides/dmarc.md): Understand the policy that uses alignment.
- [Google Sender Guidelines FAQ](https://support.google.com/a/answer/14229414): Google explains DMARC alignment expectations for bulk senders.



## Related Guides

- [Sender Domains and Email Authentication](https://mailrith.com/guides/sender-domains-and-authentication.md): Your sender domain is what inbox providers learn to trust. Authentication proves that your email delivery service is allowed to send email for your domain.

- [From, Reply-To, and Return-Path](https://mailrith.com/guides/from-reply-to-and-return-path.md): An email can include several sender-related addresses. Each address has a separate role for delivery, authentication, or replies.

- [DNS, PTR, and Reverse DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): DNS records identify your domain. Reverse DNS helps inbox providers check that a sending IP address has a valid hostname.
