DMARC Alignment: What It Is and How to Set It Correctly

Your mail “passes SPF” and “passes DKIM”… and yet DMARC still fails, messages land in junk, or worse: they disappear into silent-corporate-recipient limbo. That’s not bad luck. That’s alignment.

DMARC alignment is the bouncer checking IDs at the door. SPF and DKIM are your credentials. If the name on the ID doesn’t match the name on the ticket (From:), you’re not getting in—at least not consistently, and definitely not once you turn on p=quarantine or p=reject.

DMARC alignment in plain terms (and why you should care)

DMARC isn’t primarily about whether SPF or DKIM “works.” It’s about whether the authentication you got is for the domain the user sees. That user-visible domain is the one in the RFC5322 From: header (what mail clients show as the sender).

Alignment means: the domain that authenticated via SPF and/or DKIM must “match” (by strict or relaxed rules) the domain in From:. DMARC passes when:

• SPF passes and the SPF-authenticated domain aligns with From:, or
• DKIM passes and the DKIM signing domain aligns with From:.

Most outages and deliverability incidents happen because someone read “SPF pass” in a header and stopped thinking. That’s like saying “the SSL cert is valid” without checking it was issued for your hostname.

What alignment is not

• Not “did SPF pass?” (SPF can pass for an unrelated bounce domain.)
• Not “did DKIM pass?” (DKIM can pass for a vendor domain.)
• Not “did DMARC exist?” (Publishing a DMARC record doesn’t mean your mail aligns.)

Why it matters in production

Alignment is how receivers distinguish “legit mail from example.com” from “random server that can pass SPF for mailer.vendor.com while forging From: example.com.” Without alignment, SPF/DKIM are useful but not reliably tied to brand identity. With alignment + enforcement, you get measurable reduction in spoofing and a cleaner signal for inbox placement.

Interesting facts and short history

• DMARC emerged because SPF and DKIM solved different problems but left a gap: neither required the authenticated domain to match the visible sender domain.
• SPF checks the “envelope-from” (Return-Path) identity, not the human-visible From:. That mismatch is the original source of many “but SPF passed!” incidents.
• DKIM originally prioritized message integrity and domain-level accountability, which is why DKIM signatures survive many hops, but not all modifications.
• DMARC formalized receiver feedback loops at scale through aggregate reports (RUA) so domain owners could discover unknown senders and misconfigurations.
• Relaxed alignment exists because the internet is messy: organizations routinely send from subdomains, and strict matching would have blocked legitimate patterns.
• Forwarding broke SPF long before DMARC; DMARC’s “pass via DKIM alignment” gives a survivable path when forwarding changes the sending IP.
• DMARC’s “pct” knob was designed for gradual rollout so you can enforce policy without turning your helpdesk into a grief-counseling hotline.
• ARC (Authenticated Received Chain) arrived later to help preserve authentication results through intermediaries—useful, but not a license to ignore alignment.

How alignment actually works (SPF vs DKIM)

Start with identities: three “froms” that people confuse

Email has multiple identities that look similar until they ruin your week:

• RFC5322.From: the visible From: header. DMARC uses this as the reference.
• RFC5321.MailFrom (envelope-from): used for bounces; shows as Return-Path: after delivery. SPF authenticates this domain.
• DKIM d=: the signing domain in the DKIM signature. DKIM authenticates this domain.

DMARC pass condition (the operational version)

DMARC cares about the From: domain and asks:

1. Did SPF pass for some MailFrom domain?
2. If yes, does that MailFrom domain align with the From: domain?
3. Did DKIM pass for some signature with d=?
4. If yes, does that d= align with the From: domain?

If either aligned SPF or aligned DKIM passes, DMARC passes. If neither aligns, DMARC fails, regardless of “pass” stamps elsewhere.

What “align” means in practice

Alignment compares domains, not full addresses. DMARC generally evaluates the Organizational Domain (roughly: registrable domain) based on the Public Suffix List.

Examples:

• From: billing.example.com aligns (relaxed) with mail.example.com because both share example.com as the organizational domain.
• From: example.com does not align with mail.vendor.com. That’s the point.

SPF alignment: why it fails more often

SPF alignment uses the domain in the envelope-from (MailFrom). Many SaaS senders use their own bounce domain like bounces.vendor.com. SPF can pass for that, but it won’t align with From: example.com. Unless the vendor supports custom MailFrom / custom return-path / branded bounce domains.

Also, SPF is evaluated against the connecting IP. Forwarders change the connecting IP. SPF loses its lunch money behind the gym.

DKIM alignment: usually the workhorse

DKIM alignment uses the DKIM d= domain. If you can sign with d=example.com (or a subdomain aligned to it), you can survive forwarding and many relays because DKIM is about the signature over message headers and body, not the sending IP.

But DKIM is fragile in a different way: if intermediaries rewrite the message (footers, subject tags, line wrapping, MIME changes), the signature can break. That’s not theoretical; it’s Tuesday.

One quote (paraphrased idea) that belongs in your mailbox pipeline

Paraphrased idea: hope isn’t a strategy; use telemetry and automation to make failures visible and recoverable. — attributed to various reliability engineers, popularized in SRE culture

Strict vs relaxed alignment (aspf/adkim)

DMARC alignment has two knobs:

• aspf: SPF alignment mode
• adkim: DKIM alignment mode

Relaxed alignment (r): what it really permits

Relaxed means subdomains are OK as long as the organizational domain matches. So From: example.com aligns with MailFrom: bounce.example.com and with DKIM d=mail.example.com (assuming the org domain is example.com).

Opinionated guidance: start with relaxed alignment unless you have a strong reason to go strict. Strict is not “more secure” if it pushes teams into hacks or makes vendors impossible to configure correctly.

Strict alignment (s): when you can afford to be picky

Strict means the domains must match exactly. If your visible From: is example.com, then SPF MailFrom must be example.com (not bounce.example.com), and DKIM d= must be example.com (not mail.example.com).

Strict is viable if:

• you have tight control over all outbound senders, and
• you don’t rely on a zoo of SaaS platforms, and
• you are willing to build process to keep it true.

Joke #1: Strict alignment is like a dress code at a startup: it sounds decisive until you realize your CEO is wearing a hoodie with stains from 2017.

Subdomains: alignment and DMARC inheritance

DMARC policy published at _dmarc.example.com applies to example.com. Subdomains may inherit unless you publish per-subdomain records, and you can use the sp= tag to specify policy for subdomains.

Operationally, subdomains are where “alignment confusion” becomes “alignment incident.” Marketing wants news.example.com, product wants notify.example.com, support uses support.example.com, and someone in HR plugs in a new survey vendor that insists on From: example.com because “brand.” That’s how you get DMARC failure at scale.

How to design alignment for real senders (humans, apps, SaaS)

Decide what the “From domain” strategy is

You need a coherent policy for what appears in From:. Pick one of these patterns and commit:

• Pattern A: one domain for everything (From: example.com). Simpler for users; harder for alignment because every sender must align perfectly.
• Pattern B: functional subdomains (billing.example.com, news.example.com). Cleaner separation and easier vendor onboarding. Users notice, but they also notice when your mail bounces.
• Pattern C: dedicated sending domain (mail.example.com) while keeping corporate example.com for humans. Strongly recommended in many orgs because it reduces blast radius.

My bias: Pattern B or C. If your domain is a shared kitchen, don’t store raw chicken next to the birthday cake.

Pick how DMARC will pass: “DKIM-first” is usually sane

For modern outbound ecosystems, treat DKIM alignment as the primary path to DMARC pass. Configure SPF too, but don’t assume it will survive forwarding, mailing lists, and “helpful” gateways.

Vendor onboarding checklist (alignment-centric)

When a SaaS platform sends as you, you need these capabilities:

• Custom DKIM with d= on your domain (or aligned subdomain).
• Custom MailFrom / return-path (optional but valuable) to get SPF alignment too.
• Support for multiple DKIM selectors for rotation without downtime.
• Clear documentation on header rewriting so DKIM survives.

If they can’t do custom DKIM, don’t let them use your primary From: domain. Give them a subdomain or a different brand surface. DMARC is policy. Policy is allowed to say “no.”

How alignment interacts with mailing lists and forwarders

Mailing lists often modify messages (adding footers, subject prefixes). That can break DKIM. Forwarders break SPF. DMARC sits in the middle and says: “bring me aligned authentication.”

Receivers may use ARC to preserve upstream authentication signals, but you can’t rely on that. Your controllable lever is: make DKIM robust (canonicalization choices, avoid content munging where possible) and minimize dependencies on SPF for DMARC pass.

Practical tasks: commands, outputs, decisions (12+)

These are the tasks I actually run when debugging alignment in production. Each includes a command, sample output, what it means, and the decision you make.

Task 1: Pull the DMARC record and sanity-check tags

cr0x@server:~$ dig +short TXT _dmarc.example.com
"v=DMARC1; p=quarantine; rua=mailto:dmarc-rua@example.com; ruf=mailto:dmarc-ruf@example.com; adkim=r; aspf=r; pct=100; fo=1"

What it means: DMARC exists, enforcement is quarantine, both alignments relaxed, full rollout.

Decision: If you’re still seeing DMARC failures, the issue is alignment/authentication, not “missing record.” If p=none, you’re in observation mode and should plan enforcement.

Task 2: Check DMARC for a subdomain you think is “covered”

cr0x@server:~$ dig +short TXT _dmarc.news.example.com

What it means: No explicit DMARC record at the subdomain.

Decision: Confirm whether you rely on inheritance and whether sp= is set at the organizational domain. If marketing mail is from news.example.com, you probably want an explicit record (or at least a deliberate sp= policy).

Task 3: Check whether SPF is present for the From domain (not enough, but necessary)

cr0x@server:~$ dig +short TXT example.com | sed -n 's/.*"\(v=spf1[^"]*\)".*/\1/p'
v=spf1 ip4:203.0.113.10 include:_spf.google.com -all

What it means: SPF authorizes a specific IP and Google’s SPF set. SPF policy ends with -all (hard fail).

Decision: If you’re using SaaS senders, ensure their sending ranges are included (directly or via their include). But also: plan for SPF alignment by controlling MailFrom, not just “SPF exists.”

Task 4: Count SPF DNS lookups (the hidden failure mode)

cr0x@server:~$ spfquery -debug -ip 203.0.113.10 -sender bounce@example.com -helo mx.example.com 2>&1 | tail -n 12
...
spfquery: using default zone: example.com
spfquery: found TXT record: v=spf1 ip4:203.0.113.10 include:_spf.google.com -all
spfquery: include:_spf.google.com
spfquery: result: pass

What it means: SPF evaluation for that sender/IP passes.

Decision: If you see lookup-limit errors in real headers (permerror), you need to flatten or simplify SPF. A “pass” in your lab isn’t proof if production includes more includes than you tested.

Task 5: Fetch DKIM selector TXT records (vendor or internal)

cr0x@server:~$ dig +short TXT s1._domainkey.example.com
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmY..."

What it means: DKIM public key is published for selector s1.

Decision: If DKIM fails at receivers, confirm the signer uses this selector and domain. If a vendor says “we sign,” verify the actual d= and s= in headers.

Task 6: Inspect a real message header for DMARC/SPF/DKIM and alignment hints

cr0x@server:~$ grep -E '^(From:|Return-Path:|Authentication-Results:|DKIM-Signature:)' -n sample.eml | sed -n '1,120p'
3:From: "Example Billing" <billing@example.com>
8:Return-Path: <bounce-123@mailer.vendor.com>
41:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailer.vendor.com; s=dkim1; ...
72:Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of bounce-123@mailer.vendor.com designates 203.0.113.55 as permitted sender) smtp.mailfrom=bounce-123@mailer.vendor.com;
       dkim=pass header.i=@mailer.vendor.com header.s=dkim1 header.b=...;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com

What it means: SPF passed for mailer.vendor.com and DKIM passed for mailer.vendor.com, but From: is example.com. Neither authenticates example.com. DMARC fails due to misalignment.

Decision: Require the vendor to support custom DKIM (sign with d=example.com or aligned subdomain) and preferably custom MailFrom. If they can’t, change the visible From domain to an aligned subdomain you control (e.g., billing.example.com) and publish DMARC there.

Task 7: Validate that DKIM aligns with From (domain comparison)

cr0x@server:~$ python3 - <<'PY'
import re,sys
data=open("sample.eml","r",errors="ignore").read().splitlines()
from_dom=None
dkim_d=None
for line in data:
    if line.lower().startswith("from:"):
        m=re.search(r'@([A-Za-z0-9.-]+)', line)
        if m: from_dom=m.group(1).lower()
    if line.lower().startswith("dkim-signature:"):
        m=re.search(r'\bd=([A-Za-z0-9.-]+)', line)
        if m: dkim_d=m.group(1).lower()
print("from=",from_dom)
print("dkim d=",dkim_d)
PY
from= example.com
dkim d= mailer.vendor.com

What it means: Not aligned under either strict or relaxed (different org domains).

Decision: Fix DKIM signing domain or move From domain to match what can be authenticated.

Task 8: Check your MTA is actually signing DKIM for the right domain

cr0x@server:~$ sudo opendkim-testkey -d example.com -s s1 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key OK

What it means: The selector is present and matches the private key configured locally (at least as OpenDKIM sees it).

Decision: If this fails, fix DNS or the local key path before chasing DMARC. No aligned DKIM, no reliable DMARC pass under forwarding.

Task 9: Confirm what Return-Path / MailFrom your outbound system uses

cr0x@server:~$ postconf -n | grep -E '^(myhostname|mydomain|myorigin|smtp_mail_name|sender_canonical_maps|smtp_generic_maps)'
myhostname = mx1.example.com
mydomain = example.com
myorigin = $mydomain

What it means: Basic Postfix identity. This doesn’t guarantee MailFrom alignment, but it tells you the defaults and whether rewriting maps might exist.

Decision: If a relay or application is setting envelope-from differently, track it. Aligning SPF often means controlling this envelope identity, not just DNS.

Task 10: Test SMTP submission and capture what the server adds

cr0x@server:~$ swaks --to you@recipient.test --from billing@example.com --server smtp.example.com --data <(printf 'Subject: test\n\nhello\n') --header "Date: $(date -R)"
=== Trying smtp.example.com:25...
=== Connected to smtp.example.com.
<** 250 2.0.0 Ok: queued as 9F2A8123

What it means: Message accepted for delivery.

Decision: Pull the delivered message headers at the recipient side (or your test mailbox) and verify the DKIM d=, SPF smtp.mailfrom, and DMARC result. “Queued” is not “aligned.”

Task 11: Parse Authentication-Results for aligned identifiers quickly

cr0x@server:~$ awk 'BEGIN{RS="";FS="\n"} {for(i=1;i<=NF;i++) if($i ~ /^Authentication-Results:/) print $i}' sample.eml
Authentication-Results: mx.google.com;
       spf=pass ... smtp.mailfrom=bounce-123@mailer.vendor.com;
       dkim=pass header.i=@mailer.vendor.com ...;
       dmarc=fail ... header.from=example.com

What it means: It shows the identities the receiver used: smtp.mailfrom and header.i vs header.from.

Decision: If smtp.mailfrom or header.i are not in your domain family, alignment cannot pass. Fix the sender, not the DMARC record.

Task 12: Verify organizational domain logic (public suffix pitfalls)

cr0x@server:~$ python3 - <<'PY'
from publicsuffix2 import get_sld
tests=["example.com","billing.example.com","example.co.uk","a.b.example.co.uk"]
for t in tests:
    print(t,"->",get_sld(t))
PY
example.com -> example.com
billing.example.com -> example.com
example.co.uk -> example.co.uk
a.b.example.co.uk -> example.co.uk

What it means: DMARC relaxed alignment compares organizational domains, which differ for .co.uk-style suffixes.

Decision: If your org uses country-code domains, be careful when assuming what “relaxed” will match. Your DNS and vendor configs must match the real organizational domain boundary.

Task 13: Check DMARC “sp=” behavior for subdomains

cr0x@server:~$ dig +short TXT _dmarc.example.com
"v=DMARC1; p=reject; sp=quarantine; adkim=r; aspf=r; pct=100; rua=mailto:dmarc-rua@example.com"

What it means: Root domain is reject; subdomains default to quarantine unless overridden.

Decision: If you’re migrating senders to subdomains to reduce risk, sp can surprise you. Explicit DMARC on the subdomain avoids “why did marketing get quarantined?” meetings.

Task 14: Confirm the domain has a valid MX and isn’t mis-typed (yes, this happens)

cr0x@server:~$ dig +short MX example.com
10 mx1.example.com.
20 mx2.example.com.

What it means: Mail routing exists; not directly alignment-related, but a common indicator the domain is managed intentionally.

Decision: If there’s no MX and you’re sending from that domain, some receivers treat it suspiciously. For a sending-only domain, you might still publish MX or at least ensure general hygiene.

Task 15: Check for multiple DMARC TXT records (receiver-dependent chaos)

cr0x@server:~$ dig TXT _dmarc.example.com +short
"v=DMARC1; p=none; rua=mailto:dmarc-rua@example.com"
"v=DMARC1; p=reject; rua=mailto:security@example.com"

What it means: Two DMARC records exist. That’s invalid; receivers may pick one, ignore both, or behave inconsistently.

Decision: Fix DNS immediately: publish exactly one DMARC record per domain. This is a “stop the bleeding” issue before any deeper troubleshooting.

Fast diagnosis playbook

If you have 15 minutes before someone escalates “email outage,” don’t wander. Check these in order.

First: confirm the failure is alignment, not basic auth

1. Grab a failing message header from a recipient mailbox (preferably Gmail or Microsoft, because they’re verbose).
2. Find Authentication-Results and read three fields: header.from, smtp.mailfrom, and header.i (DKIM identity).
3. If SPF/DKIM are “pass” but identities don’t match header.from, it’s alignment.

Second: identify which path should be your DMARC “pass” path

• If mail is forwarded or routed through intermediaries: prioritize DKIM alignment.
• If mail is direct-to-recipient with stable IPs and controlled MailFrom: SPF alignment can be reliable.
• If both are failing: you’re either not signing properly, or you’re letting vendors send “as you” without domain controls.

Third: pinpoint who is sending the misaligned mail

• Check Return-Path domain: often reveals the vendor.
• Check DKIM d=: reveals the signer domain.
• Compare against your list of authorized senders. If you don’t have a list, congratulations: you’ve discovered why DMARC reports exist.

Fourth: choose the least-risk fix

• Best fix: configure custom DKIM for your domain on that sender.
• Next best: move the visible From to a dedicated subdomain that the sender can align with, and publish DMARC on that subdomain.
• Avoid: loosening DMARC policy as a permanent solution. Temporary pct reductions can be reasonable during incident response; permanent downgrades are how spoofing returns.

Joke #2: If you “fixed DMARC” by setting p=none, that’s not a fix; that’s putting a sticky note on the smoke detector.

Common mistakes: symptom → root cause → fix

1) “SPF=pass, DKIM=pass, DMARC=fail”

Symptom: Authentication-Results shows SPF pass and DKIM pass, but DMARC fail.

Root cause: SPF and DKIM authenticated different domains than the visible From:. Typical with SaaS vendors using their own Return-Path and d=.

Fix: Enable custom DKIM signing for your domain (aligned d=). Optionally configure custom MailFrom to also get SPF alignment.

2) DMARC fails only for forwarded mail

Symptom: Direct recipients get inbox; forwarded recipients see quarantine/reject.

Root cause: Forwarders break SPF by changing the sending IP; DKIM may be missing or broken, leaving no aligned path.

Fix: Ensure DKIM signing is enabled and survives typical transit. Do not rely on SPF alignment alone for DMARC pass if forwarding is common.

3) DKIM passes in your tests, fails in the wild

Symptom: Some receivers show dkim=fail (bad signature), others pass.

Root cause: Intermediaries modify the message (footers, disclaimers, “external sender” banners, MIME conversions). Or your signer includes volatile headers in the signed set.

Fix: Adjust DKIM configuration: choose sensible canonicalization, limit signed headers to stable ones, and eliminate gateways that rewrite content post-signing (or sign after rewriting).

4) “We set aspf=s and everything broke”

Symptom: DMARC failures spike after switching to strict alignment.

Root cause: Your MailFrom is a subdomain (e.g., bounce.example.com) or vendor uses custom return-path subdomain. Strict requires exact match.

Fix: Use relaxed alignment (aspf=r) unless you can guarantee exact-domain MailFrom everywhere. Or change the visible From to the exact domain that matches the authenticated identity.

5) Random, inconsistent DMARC behavior across receivers

Symptom: Gmail says DMARC pass, Microsoft says fail, smaller providers vary.

Root cause: Multiple DMARC TXT records, DNS propagation inconsistencies, or different interpretation of broken records by receivers.

Fix: Ensure exactly one DMARC TXT record exists, validate DNS, reduce TTL during changes, and retest.

6) Subdomain mail gets rejected after root DMARC enforcement

Symptom: Mail from news.example.com starts failing when you enforce on example.com.

Root cause: Subdomain inherits policy, and the sender isn’t aligned for that subdomain. Or sp=reject applies.

Fix: Publish explicit DMARC for the subdomain and configure DKIM/SPF identities for that subdomain; or adjust sp deliberately.

7) DKIM aligns but DMARC still fails

Symptom: You see dkim=pass with d=example.com, yet DMARC fail.

Root cause: DKIM pass may be for a signature that doesn’t align (multiple signatures), or the receiver selected a different DKIM result as “best” (implementation nuance), or the visible From uses a different domain than expected.

Fix: Inspect Authentication-Results carefully for which signature was evaluated and what header.from is. Ensure the aligning DKIM signature is present and valid at the receiver.

Checklists / step-by-step plan

Step-by-step rollout plan that avoids self-inflicted outages

1. Inventory senders. List every system that can send with your domain in From:: M365/Google Workspace, ticketing, CI/CD alerts, CRM, marketing, billing, monitoring, humans with SMTP clients.
2. Pick a From-domain architecture. Prefer a dedicated sending domain or functional subdomains to isolate vendors.
3. Enable DKIM everywhere possible. If a sender can’t sign with your domain, don’t let it use your root From domain.
4. Publish SPF carefully. Keep it under the DNS lookup limits; avoid uncontrolled include chains.
5. Publish DMARC with p=none first. Add rua to collect aggregate reports. Keep alignment relaxed unless you’re sure.
6. Review DMARC reports and fix alignment gaps. This is where you find the “mystery sender” that product forgot about.
7. Move to p=quarantine with pct less than 100 if needed. Use pct as a circuit breaker, not as a lifestyle choice.
8. Move to p=reject when confident. Spoofing stops being a branding problem and becomes a receiver problem.
9. Automate ongoing checks. DKIM key expiry/rotation, DNS drift, vendor changes, and acquisitions are where alignment silently regresses.

Operational checklist for every new sender (print this, or tattoo it on your procurement process)

• What will the visible From: domain be?
• Will the platform sign DKIM with d= in our domain (or aligned subdomain)?
• Can we set a custom MailFrom / return-path in our domain for SPF alignment?
• What selectors are used, and can we rotate keys without downtime?
• Do they rewrite messages post-signing (footers, tracking, open/click modifications)?
• Do they support separate domains per environment (prod vs staging)?
• How will we test before go-live (seed list, header capture, DMARC validation)?

Three corporate mini-stories from the trenches

Mini-story 1: The incident caused by a wrong assumption

The company had just moved transactional mail to a shiny new provider. The migration plan was tidy: update SPF to include the vendor, turn on DKIM “because the checkbox exists,” then tighten DMARC to p=reject after a week of calm.

On day two, support started getting tickets: password resets weren’t arriving for a chunk of users—mostly at large inbox providers with aggressive filtering. Engineering did what engineering does: checked app logs, confirmed emails were queued, confirmed the vendor’s API returned success. So obviously, “email is fine.”

Then someone looked at a real recipient header. SPF passed. DKIM passed. DMARC failed. The From: header was example.com, but the vendor signed with d=vendor-mail.com and used Return-Path under vendor-bounce.com. The team had assumed “pass means pass.” DMARC didn’t care.

The fix was not heroic: configure custom DKIM for example.com on the vendor, then align the bounce domain under a controlled subdomain. Deliverability recovered. The bigger win was cultural: the postmortem added a rule—no enforcement changes without validating alignment identities in Authentication-Results across at least two major receivers.

Mini-story 2: The optimization that backfired

A different org wanted to “clean up DNS.” Their SPF record had become a monster of includes because every department onboarded vendors like they were collecting badges at a conference. Someone proposed flattening SPF by expanding includes into a static IP list. Fewer DNS lookups. Faster evaluation. Everyone nodded.

They deployed the flattened record and, for a few days, things improved. Then mail started failing intermittently—especially from one vendor whose sending IPs changed without notice. SPF began to fail for that traffic. DMARC started failing too because they had been leaning on SPF alignment for that sender; DKIM wasn’t aligned (the vendor signed with their own domain and nobody had fought that battle).

The “optimization” replaced dynamic vendor includes (which adapt to IP changes) with a brittle snapshot. The failure mode wasn’t just SPF fail. It cascaded into DMARC enforcement behavior, which turned a vendor’s IP change into a customer-facing incident.

The eventual stable design was more boring: reinstate the vendor’s include, remove obsolete includes, split senders into subdomains with explicit DKIM alignment, and track SPF lookup counts with tests in CI. The clever part was not the DNS trick. It was designing the authentication path so a single vendor’s IP drift didn’t collapse DMARC.

Mini-story 3: The boring but correct practice that saved the day

An enterprise team ran a simple weekly job: send test messages from every sanctioned sender to a few controlled mailboxes, then store the full headers. No fancy dashboards at first—just files in a repo and a habit of looking when something changed.

One week, the tests flagged that marketing mail still arrived, but DKIM alignment had flipped: the DKIM d= was now vendor.com instead of news.example.com. DMARC was passing only because SPF alignment still worked, and only for direct recipients. Forwarded recipients would have failed the next time their corporate mail gateway started routing through a new hop.

It turned out the vendor had rotated infrastructure and “helpfully” reverted a setting during an internal migration. No outage yet. Just a loaded gun on the table.

The team opened a ticket, got custom DKIM restored, and added a contract clause: changes that affect sending identities must be announced. The fix was mundane. The save was enormous. This is what “operational excellence” looks like when nobody claps.

FAQ

1) If SPF passes, why does DMARC fail?

Because SPF can pass for the envelope-from domain, and DMARC requires that domain to align with the visible From:. SPF pass without alignment is common with third-party senders.

2) Should I rely on SPF alignment or DKIM alignment?

Prefer DKIM alignment as the primary DMARC pass path, especially if your mail is forwarded, goes through mailing lists, or traverses multiple relays. Keep SPF correct anyway; it’s still valuable.

3) What do “adkim” and “aspf” actually change?

They set strict (s) or relaxed (r) alignment for DKIM and SPF. Relaxed allows subdomain alignment (same organizational domain). Strict requires an exact match.

4) Is strict alignment always more secure?

No. Strict is only better if you can maintain it without exceptions. If strict causes vendors to use your root From domain while authenticating with their own domains, you get failures—not security.

5) Why does DMARC break when a mailing list adds a footer?

Because DKIM signatures cover parts of the message body and headers. If a list modifies the body, DKIM can fail. If SPF also fails due to forwarding, DMARC fails.

6) Can I fix alignment by changing only the DMARC record?

Rarely. DMARC policy doesn’t create alignment; it evaluates it. Most fixes are in sender configuration: DKIM signing domain, MailFrom domain, or visible From domain strategy.

7) What’s the safest way to move to p=reject?

Run p=none with aggregate reporting, fix all known senders, then move to p=quarantine with pct control if needed, then p=reject. Don’t skip the “fix senders” part.

8) Do I need custom return-path if I already have DKIM alignment?

Not strictly, but it helps. Having both aligned SPF and DKIM makes your mail more resilient across receiver quirks and intermediate hops.

9) How do subdomains affect alignment?

With relaxed alignment, subdomains align if they share the same organizational domain. With strict alignment, they don’t. DMARC policy can also apply differently to subdomains via sp or explicit subdomain records.

10) What’s the quickest proof that a vendor can’t meet DMARC alignment?

Send a test mail and inspect headers: if DKIM d= and SPF smtp.mailfrom are vendor domains and immutable, they can’t align with your From: domain unless they support custom identities.

Conclusion: next actions that actually reduce risk

DMARC alignment is not an abstract email theory. It’s the mechanical difference between “we authenticate something” and “receivers can trust the domain our users see.” If you’re enforcing DMARC without alignment discipline, you’re building a rejection machine and calling it security.

Do this next, in order:

1. Pick your From-domain strategy (root vs subdomains vs dedicated sending domain). Make it a policy decision, not a per-team preference.
2. Make DKIM alignment your default for every sender, especially vendors.
3. Use DMARC reports and header inspection as telemetry, not as paperwork.
4. Roll to enforcement deliberately (none → quarantine → reject), using pct as a safety valve—not a permanent crutch.
5. Operationalize it: a weekly seed test with stored headers catches the “vendor reverted config” class of outages before customers do.