What domain is checked for SPF alignment? (Return-Path vs From)
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Here's the thing that trips up a lot of folks: SPF and DMARC check two totally different domains. SPF aligns against the Return-Path domain (also called the envelope sender or MAIL FROM). DMARC, on the other hand, compares that Return-Path domain to the From header domain to see if they match.
Here's why this matters. Your mail server might pass SPF validation because it's authorized to send from your domain. But if you're using an email service provider (ESP), they often send mail on your behalf using their own Return-Path domain. That means SPF passes, but the Return-Path doesn't match your From header, so DMARC fails. You've got a deliverability problem even though SPF technically worked.
The fix is getting your ESP to either sign mail with your DKIM domain (more reliable) or use your domain as the Return-Path. Check out how to fix alignment issues for the step-by-step approach. See also: how DKIM alignment works.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.