TL;DR: DMARC alignment means the domain a recipient sees in your "From" address must match the
domain that passed SPF or DKIM. SPF or DKIM passing isn't enough on its own — it has to align with your
visible From domain. This is why mail can show spf=pass yet dmarc=fail. Scan your domain
free to check your setup.
Why alignment exists
Without alignment, an attacker could pass SPF/DKIM for their own domain while putting your domain in the visible From — and DMARC would be useless. Alignment closes that gap by requiring the authenticated domain and the From domain to be the same (or related). DMARC passes only if SPF or DKIM passes and aligns.
SPF alignment vs DKIM alignment
- SPF alignment: the domain in the hidden "envelope" (Return-Path) matches your From domain.
- DKIM alignment: the
d=domain in the DKIM signature matches your From domain.
You only need one of them to pass and align for DMARC to pass.
Relaxed vs strict
| Mode | What aligns |
|---|---|
| Relaxed (default) | The organisational domain matches — mail.yourdomain.com aligns with yourdomain.com. |
| Strict | The domain must match exactly — no subdomains. |
Set with aspf= (SPF) and adkim= (DKIM) in your DMARC record, each r (relaxed) or
s (strict). Relaxed is right for most senders.
The classic "SPF passes but DMARC fails"
This almost always means SPF passed for a different domain (often your email provider's), which doesn't align with your From domain. The fix: make sure DKIM is signing with your domain (so DKIM aligns), or that your Return-Path uses your domain. Your DMARC reports show exactly which is failing to align.
FAQ
Do I need both SPF and DKIM to align?
No — just one. DMARC passes if either SPF or DKIM passes and aligns with your From domain.
Should I use relaxed or strict alignment?
Relaxed for almost everyone — it allows subdomains. Strict is rarely needed and easy to break.
Why does my mailing-list email fail alignment?
Lists often change the message and re-send it, breaking DKIM and altering the Return-Path. That's expected; see DKIM troubleshooting.
Stuck on a DMARC alignment failure? Scan your domain, then reply to your report — we're developers and we'll get SPF, DKIM and alignment passing for you.