Why DMARC Fails Even When SPF Passes

Mar 13, 2026 · Joey · 4 min read

SPF Passes, DMARC Fails — What Is Going On?

DMARC can fail even when SPF passes because DMARC requires alignment, not just authentication. SPF passing only means the sending server is authorized. DMARC goes one step further — it checks whether the domain in your visible From header matches the domain that passed SPF. If they do not match, DMARC reports an alignment failure.

This is the single most common source of confusion in email authentication. The email "passed SPF" but DMARC still failed, and it feels like a contradiction. It is not. They are checking different things.

What Is SPF Alignment?

SPF checks the Return-Path (envelope sender) domain against your SPF DNS record. DMARC alignment checks whether that Return-Path domain matches the From header domain.

Here is a concrete example:

From: sales@yourdomain.com          ← What the recipient sees
Return-Path: bounce@esp.sendgrid.net ← What SPF actually checks

In this case:

SPF result: Pass (because esp.sendgrid.net is authorized by SendGrid's SPF record)
SPF alignment: Fail (because esp.sendgrid.net does not match yourdomain.com)
DMARC result: Fails SPF alignment

The email is legitimate, but DMARC cannot verify that because the domains do not match.

The Two Ways DMARC Can Pass

DMARC passes if either SPF or DKIM is both authenticated and aligned:

Path	Authentication	Alignment Required
SPF path	SPF check passes	`Return-Path` domain matches `From` domain
DKIM path	DKIM signature valid	DKIM `d=` domain matches `From` domain

If your SPF alignment fails but DKIM alignment passes, DMARC will still pass. This is actually the most common configuration for third-party email services.

Common Scenarios Where SPF Passes but DMARC Fails

Scenario 1: Third-Party Email Service (Most Common)

When you use a service like SendGrid, Mailgun, or Amazon SES, they set the Return-Path to their own domain for bounce handling. SPF passes against their domain, but alignment fails against yours.

Fix: Configure DKIM signing with your domain. Most ESPs support custom DKIM — this is the primary way to achieve DMARC alignment through third-party services.

Scenario 2: Email Forwarding

When an email is forwarded (e.g., from user@university.edu to user@gmail.com), the forwarding server's IP is not in your SPF record. SPF may still pass if the forwarding server rewrites the envelope sender, but alignment will fail if the rewritten domain does not match your From header.

Fix: Rely on DKIM for forwarded email. DKIM signatures travel with the message and survive forwarding (as long as the message body is not modified).

Scenario 3: Misconfigured Custom Return-Path

Some ESPs let you set a custom Return-Path domain. If you configured it as bounce.yourdomain.com but your DMARC record uses strict SPF alignment (aspf=s), the subdomain will not match yourdomain.com.

Fix: Either set your DMARC record to relaxed SPF alignment (aspf=r), which allows subdomain matching, or configure the Return-Path to use the exact same domain as your From address.

Scenario 4: SaaS Platforms Sending on Your Behalf

Tools like HubSpot, Zendesk, or Salesforce send email using your From address but authenticate against their own domains. SPF passes for their domain, not yours.

Fix: Set up DKIM with your domain in each platform. Most enterprise SaaS tools support this — look for "email authentication" or "domain verification" in their settings.

How to Diagnose the Problem

Check the raw email headers of a failing message. Look for:

Authentication-Results:
  spf=pass (sender IP is X.X.X.X) smtp.mailfrom=otherdomain.com;
  dkim=none;
  dmarc=fail (p=none dis=none) header.from=yourdomain.com;

The key detail is smtp.mailfrom=otherdomain.com combined with header.from=yourdomain.com. The domains do not match — that is your alignment failure.

The Fix: Almost Always DKIM

For most third-party sending scenarios, the fix is to configure DKIM signing with your domain. SPF alignment through third-party services is inherently fragile because you cannot always control the Return-Path. DKIM alignment is more reliable:

Generate a DKIM key pair in your email service provider's dashboard
Add the public key as a DNS TXT record under your domain
The ESP signs outgoing email with your domain's DKIM key
DKIM alignment passes, DMARC passes — regardless of SPF alignment

FAQ

Should I care about SPF alignment if DKIM is passing?

For DMARC purposes, no — DMARC passes if either path aligns. But having both SPF and DKIM aligned provides defense in depth. If DKIM breaks for any reason (key rotation, message modification), SPF alignment can serve as a fallback.

What is the difference between relaxed and strict alignment?

Relaxed (aspf=r, adkim=r): Subdomains are allowed to match. mail.yourdomain.com aligns with yourdomain.com.
Strict (aspf=s, adkim=s): Exact domain match required. mail.yourdomain.com does not align with yourdomain.com.

Most organizations should use relaxed alignment (it is also the default if not specified).

Can I fix this by adding my ESP's domain to my SPF record?

Adding your ESP's include: to your SPF record makes SPF pass, but it does not fix alignment. SPF alignment compares the Return-Path domain to the From domain. If the ESP sets a Return-Path on their domain, alignment still fails — even though SPF authentication passes.

← Back to Blog