Can you have SPF and DKIM pass but DMARC fail?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Yes. This is one of the most common DMARC confusions, and it trips up even technically experienced senders.

But Here's why: DMARC doesn't just ask "did SPF pass?" or "did DKIM pass?" It asks "did either SPF or DKIM pass for the right domain?"

That "right domain" requirement is called alignment. SPF alignment means the domain in the SMTP envelope (the Return-Path) must match your From domain. DKIM alignment means the d= domain in the DKIM signature must match your From domain.

Both checks can pass for some domain and still fail alignment with your From domain. Example: you send through an ESP that uses their own envelope sender domain for bounce handling (common). SPF passes for the ESP's domain. DKIM passes for the ESP's signing domain. Neither matches your From domain. DMARC fails.

The fix is usually one of: set up custom DKIM signing so the ESP signs with your domain, or configure the ESP to use your domain in the envelope sender for SPF alignment. Most reputable ESPs support both. Check your DMARC aggregate reports to see which sources are failing and on which mechanism.

Our free Review My Emails DMARC Parser will show you your current policy and alignment mode. If you want to dig into the actual report data and see which sources are failing alignment, that's where to start.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Fix my DMARC alignment failure

My DMARC reports show failures even though SPF and DKIM are both passing for messages sent through {esp_name}. My From domain is {from_domain}. Can you help me understand which alignment is failing, whether it's the DKIM d= domain or the SPF envelope sender, and what I need to configure in {esp_name} to fix it?

Edit the yellow boxes, then send to the AI of your choice.