How do third-party senders affect alignment?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When you use a third-party sender like an ESP to send mail on your behalf, they face a core problem: they can't sign your mail with your own DKIM key (you don't give that to them), and they often can't use your domain as the Return-Path (that's their infrastructure). So by default, they break both DKIM and SPF alignment, and your DMARC check fails.

Here's what happens: The ESP sends an email that appears to come from you (From: yourdomain.com) but they sign it with their own DKIM key (d=theirservice.com) and use their own Return-Path (envelope sender: mail.theirservice.com). Your domain doesn't match either authentication method, so DMARC sees a misalignment and rejects the message according to your DMARC policy.

The fix depends on what your ESP supports. The best option is asking them to provide CNAME records so they can sign with your domain (d=yourdomain.com). Some ESPs also let you set a custom Return-Path on your domain. Not all vendors support these options, so it's worth asking your ESP upfront which they offer. Once configured, how to fix alignment issues walks you through the setup. See also: how to fix alignment issues.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Explain ESP alignment issues

Explain why ESPs and third-party senders break DMARC alignment by default (DKIM d= tag and Return-Path domain), and what configuration options (CNAME records, custom Return-Path) fix it.

Edit the yellow boxes, then send to the AI of your choice.