SPF Alignment Fails but DKIM Passes — Is My Email Secure?

Mar 18, 2026 · Joey · 3 min read

Is This a Problem?

In most cases, no. If DKIM passes and is aligned with your From domain, DMARC will pass — regardless of SPF alignment. This is by design. DMARC requires only one authentication method (SPF or DKIM) to both pass and align. Having DKIM pass with alignment is the more reliable path, especially when using third-party email services.

You are secure. But you should understand why SPF alignment is failing so you can decide whether to fix it.

Why SPF Alignment Fails with Third-Party Services

When you use an email service provider (ESP) like SendGrid, Mailgun, Postmark, or Amazon SES, they typically set the Return-Path (envelope sender) to their own domain for bounce handling:

From: you@yourdomain.com                    ← What recipients see
Return-Path: bounces@sendgrid.net           ← What SPF checks

SPF authentication passes (SendGrid's IP is authorized by sendgrid.net's SPF record), but SPF alignment fails because sendgrid.net does not match yourdomain.com.

This is completely normal and expected. Nearly every third-party ESP works this way.

When It Is Fine (Most Cases)

SPF alignment failure is fine when:

DKIM passes with d=yourdomain.com — This is your primary alignment path
Your DMARC record uses relaxed alignment (adkim=r, which is the default)
Your DMARC reports show dmarc=pass — The bottom line

In fact, many email security experts consider DKIM the stronger authentication method:

DKIM survives email forwarding; SPF does not
DKIM verifies message integrity; SPF only verifies the sending server
DKIM alignment through third-party services is more reliable

When You Should Fix It

Fix SPF alignment when:

You are not confident in your DKIM setup — If DKIM could break (key rotation, misconfiguration), having SPF alignment as a fallback adds resilience
Your DMARC reports show DKIM failures from some sources — If any source fails DKIM, you need SPF alignment as backup
You want belt-and-suspenders security — Both paths passing is ideal

How to Fix SPF Alignment

Option 1: Custom Return-Path Domain

Some ESPs let you configure a custom Return-Path domain (also called "custom bounce domain" or "envelope sender domain"):

SendGrid: Settings → Sender Authentication → Authenticate Your Domain (adds a CNAME for em.yourdomain.com)
Mailgun: Sending → Domains → Configure custom tracking/bounce domain
Postmark: Account → Domains → Configure Return-Path
Amazon SES: Configure a custom MAIL FROM domain

When configured, the Return-Path becomes something like bounce@mail.yourdomain.com. With relaxed SPF alignment, this aligns with yourdomain.com in your From header.

Option 2: Include ESP in Your SPF Record

This makes SPF authentication pass for your domain (the ESP's IPs are authorized by your SPF record), but it does not fix alignment unless the ESP also uses your domain in the Return-Path.

v=spf1 include:_spf.google.com include:sendgrid.net -all

This is a good practice regardless, but it alone does not solve SPF alignment.

How to Verify Your Setup

Check the headers of a sent email:

Authentication-Results:
  spf=pass smtp.mailfrom=sendgrid.net;        ← SPF passes but for wrong domain
  dkim=pass header.d=yourdomain.com;          ← DKIM passes with your domain ✓
  dmarc=pass (p=reject) header.from=yourdomain.com;  ← DMARC passes ✓

The key line is dmarc=pass. If DMARC passes, your email is being delivered securely — even with SPF alignment failing.

FAQ

Does DMARC require both SPF and DKIM to align?

No. DMARC passes if either SPF or DKIM is both authenticated and aligned. You do not need both — one is sufficient.

If DKIM breaks, will my emails fail DMARC?

Yes — if DKIM is your only aligned authentication path and it breaks (due to key rotation, DNS issues, or message modification), DMARC will fail. This is why having SPF alignment as a backup is valuable. Configure a custom Return-Path domain with your ESP to enable SPF alignment as a safety net.

Should I set up SPF alignment even if everything is working?

It is a good practice but not urgent. Prioritize DKIM alignment first. Then add SPF alignment when you have time, by configuring custom bounce/Return-Path domains with your ESPs.

What does my DMARC report show when SPF alignment fails?

The report will show spf with a result of pass for authentication but fail for alignment. The overall DMARC disposition will still be none (pass) if DKIM alignment succeeds.

← Back to Blog