Cleanbox
Features Blog Pricing Developers
Sign in Start free trial
Blog
technology email authentication security

DMARC Alignment Explained: Why Authentication Alone Is Not Enough

10 min read Nov 10, 2025
DMARC Alignment Explained: Why Authentication Alone Is Not Enough

A common frustration: you set up SPF and DKIM correctly, both pass when you test them, and yet DMARC still fails. The missing piece is almost always alignment. DMARC does not just check whether authentication passes — it checks whether the authenticated domain matches the domain in the From header. This matching requirement is called identifier alignment, and it is the mechanism that gives DMARC its power.

What DMARC actually checks

DMARC builds on top of SPF and DKIM, but it adds a critical layer that neither provides on its own: it ties authentication back to the domain visible to the end user.

Without DMARC, a sender could pass SPF for bounce-server.com while the From header shows yourbank.com. SPF would pass, but the email is spoofed. DKIM has a similar gap: a message could carry a valid DKIM signature from marketing-platform.com while claiming to be from yourbank.com.

DMARC closes this gap by requiring that at least one of these authenticated domains aligns with the domain in the From header. This is the core concept: authentication must be relevant to the identity the user sees.

Identifier alignment: the technical details

DMARC evaluates two types of alignment:

SPF alignment

SPF alignment compares the domain in the Return-Path (envelope sender) with the domain in the From header. The Return-Path is also known as the envelope-from, MAIL FROM, or bounce address. It is the address that receives bounces and is the domain SPF actually authenticates.

For SPF alignment to pass:

  • SPF must pass (the sending IP must be authorized for the Return-Path domain)
  • The Return-Path domain must align with the From header domain

Example that passes SPF alignment:

Return-Path: bounce@example.com
From: newsletter@example.com
SPF: pass (IP authorized for example.com)

Example that fails SPF alignment:

Return-Path: bounce@esp-provider.com
From: newsletter@example.com
SPF: pass (IP authorized for esp-provider.com)

In the second case, SPF passes for esp-provider.com, but the From header shows example.com. The domains do not align, so SPF alignment fails. This is extremely common with email service providers that use their own envelope sender domain.

DKIM alignment

DKIM alignment compares the domain in the DKIM-Signature d= tag with the domain in the From header. The d= value is the domain that claims responsibility for the signature.

For DKIM alignment to pass:

  • The DKIM signature must validate (the cryptographic signature must be correct)
  • The d= domain must align with the From header domain

Example that passes DKIM alignment:

DKIM-Signature: d=example.com; s=selector; ...
From: newsletter@example.com

Example that fails DKIM alignment:

DKIM-Signature: d=esp-provider.com; s=selector; ...
From: newsletter@example.com

The signature is valid, but it was signed by esp-provider.com, not example.com. DKIM alignment fails.

Relaxed vs strict alignment

DMARC offers two alignment modes, configurable independently for SPF and DKIM:

Relaxed alignment (default)

Relaxed alignment requires that the authenticated domain and the From domain share the same organizational domain (also called the root domain or registered domain). Subdomains are allowed to align with the parent domain and vice versa.

Examples of relaxed alignment passing:

  • Return-Path: bounce@mail.example.com / From: info@example.com — both share example.com
  • DKIM d=example.com / From: news@sub.example.com — both share example.com
  • Return-Path: bounce@a.example.com / From: info@b.example.com — both share example.com

Strict alignment

Strict alignment requires an exact match between the authenticated domain and the From domain. No subdomain matching is allowed.

Examples where strict alignment fails but relaxed would pass:

  • Return-Path: bounce@mail.example.com / From: info@example.com — different domains under strict
  • DKIM d=example.com / From: news@sub.example.com — different domains under strict

The DMARC record specifies alignment mode with the aspf and adkim tags:

v=DMARC1; p=reject; aspf=r; adkim=s;

In this example, SPF alignment is relaxed (aspf=r) and DKIM alignment is strict (adkim=s). If these tags are omitted, both default to relaxed.

Why most organizations should use relaxed alignment

Strict alignment sounds more secure, and in theory it is. But in practice, it breaks legitimate email flows more often than it catches attacks. Here is why:

  • Subdomains for different services — Organizations commonly send email from marketing.example.com, support.example.com, and billing.example.com. With strict DKIM alignment, each subdomain needs its own DKIM key, and each must exactly match the From domain.
  • Third-party senders — Email service providers often sign with a subdomain like em1234.example.com even when the From address uses example.com. This passes relaxed alignment but fails strict.
  • Low additional security — An attacker who can spoof example.com can likely also spoof sub.example.com. Strict alignment mostly catches configuration errors, not attacks.

For a thorough overview of DMARC policy choices and the risks of overly aggressive enforcement, see Why Strict DMARC Rejection Is Not Always Right.

Common alignment failure scenarios

Email service providers with default configuration

When you use an ESP like Mailchimp, SendGrid, or HubSpot without custom authentication, they typically send with:

  • Return-Path using their own domain (e.g., bounce.esp-provider.com)
  • DKIM signed with their own domain (e.g., d=esp-provider.com)
  • From header using your domain (e.g., you@example.com)

Both SPF and DKIM pass, but neither aligns with your From domain. DMARC fails. The fix is to configure custom authentication: set up a custom Return-Path domain and DKIM signing domain that align with your From domain. Most ESPs provide instructions for this.

Email forwarding and SPF alignment

This is the most common alignment failure in the wild. When email is forwarded:

  1. The original sender passes SPF with their own domain
  2. The forwarder relays the message from its own IP
  3. SPF now checks the forwarder's IP against the original sender's domain — and fails
  4. Even if the forwarder uses SRS (rewriting the Return-Path to their domain), SPF alignment fails because the Return-Path domain no longer matches the From header

However, DKIM alignment is preserved during forwarding, as long as the message content is not modified. The DKIM signature was created by the original sender, the d= tag still matches the From domain, and the signature validates. This is why DKIM is the primary authentication mechanism for forwarded email.

Mailing lists that modify content

Mailing lists (like those run by Mailman, Google Groups, or LISTSERV) often modify messages: adding footers, rewriting the Subject line, or changing the From header. These modifications break DKIM signatures. If the list also rewrites the From header to use the list domain, both SPF and DKIM alignment fail for the original sender's domain.

Modern mailing lists handle this by either wrapping the original message (preserving DKIM) or rewriting the From header to the list domain and re-signing with DKIM for the list domain.

Auto-forwarding rules in mailboxes

When a user sets up auto-forwarding in Gmail, Outlook, or another provider, the forwarding server sends from its own IP. SPF fails for the original domain, and SRS (if used) breaks SPF alignment. DKIM usually survives because the message content is typically not modified.

This is a major reason why DMARC with p=reject causes problems for forwarded email. The original sender's DMARC policy says to reject unauthenticated messages, but forwarding makes the message appear unauthenticated even though it is legitimate.

Debugging alignment failures

When DMARC fails, check alignment specifically, not just authentication. Here is a systematic approach:

  1. View the raw headers — Look at Authentication-Results for the detailed DMARC evaluation. It will typically show whether SPF and DKIM individually passed and whether alignment passed.
  2. Compare domains — Check the Return-Path domain, the DKIM d= domain, and the From header domain. Do any of them match (or share an organizational domain)?
  3. Check the DMARC record — Is the alignment mode relaxed or strict? Could switching to relaxed fix the issue?
  4. Review DMARC aggregate reports — These XML reports show alignment results for every message. They are the best tool for identifying systematic alignment failures.

A typical Authentication-Results header showing alignment details:

Authentication-Results: mx.receiver.com;
    dmarc=fail (p=reject dis=none) header.from=example.com;
    spf=pass smtp.mailfrom=different-domain.com;
    dkim=pass header.d=example.com header.s=selector

In this case, SPF passes but does not align (different-domain.com vs example.com). DKIM passes and aligns (both example.com). Since DKIM alignment passes, DMARC should actually pass in this scenario. If DMARC still fails, check whether strict alignment is configured and the DKIM d= uses a subdomain.

Alignment and multiple DKIM signatures

A message can carry multiple DKIM signatures. This is common when a message passes through an ESP that adds its own signature alongside the sender's. DMARC only needs one DKIM signature to pass and align. If the sender signed with d=example.com and the ESP signed with d=esp.com, DMARC uses the one that aligns with the From domain.

This is important for email service providers: even if you add your own DKIM signature, make sure the customer's domain-aligned signature is preserved. Both signatures can coexist.

How Cleanbox handles alignment

When Cleanbox processes email, it preserves the original DKIM signatures to maintain DKIM alignment for the sender's domain. For forwarded messages, SRS rewrites the envelope sender, which means SPF alignment with the original domain is intentionally broken (this is a necessary trade-off — see the complete authentication guide for details). However, DKIM alignment remains intact because Cleanbox does not modify message content or headers that are covered by the DKIM signature.

This means forwarded email through Cleanbox relies on DKIM alignment for DMARC, which is the correct and expected behavior for any forwarding service. Messages from senders who sign with DKIM (which includes the vast majority of legitimate senders today) will pass DMARC through DKIM alignment even though SPF alignment is lost during forwarding.

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free