Blog

DMARC Alignment vs DMARC Policy — The Difference Most Guides Skip

March 19, 2026

You've read the DMARC guides. You set p=reject. SPF passes. DKIM passes.

Emails still fail DMARC.

The reason is usually alignment — and most guides explain policy without properly explaining alignment.

What Policy Does

Policy (the p= tag) tells receivers what to DO with emails that fail DMARC.

p=none → deliver and report. p=quarantine → send to spam. p=reject → block entirely.

That's it. Policy is enforcement.

What Alignment Does

Alignment checks whether SPF and DKIM are passing for YOUR domain — not just any domain.

This is the part people miss.

When you send through SendGrid, SendGrid signs your email with DKIM. The signature passes. But it's signed with sendgrid.net — not your domain.

DMARC says: that doesn't count. The signing domain must match your From: domain.

The Exact Check

DMARC looks at two things:

SPF: does the Return-Path domain match your From: domain?
DKIM: does the d= tag in the DKIM signature match your From: domain?

If either one matches → DMARC passes. If neither matches → DMARC fails. Regardless of your policy setting.

Why Third-Party Senders Break Alignment

SendGrid, Mailgun, HubSpot — by default they all send from their own domain.

Your From: says you@yourdomain.com. The Return-Path says bounce@sendgrid.net.

SPF passes for sendgrid.net. But that's not aligned with yourdomain.com.

The fix is provider-specific CNAME records that let the provider sign with your domain.

How to Check Alignment

Run DNS Preflight. The alignment visual at the top of the results shows exactly what FROM domain is being compared against what Return-Path domain.

Red arrow = misaligned. Green = passing.

Check your alignment

Open DNS Preflight →

Also read: DMARC alignment · DMARC policy · DMARC fix guides

FAQ

What is DMARC alignment?

The requirement that SPF or DKIM must pass for your From: domain specifically — not just any domain. Passing for sendgrid.net doesn't count as alignment for yourdomain.com.

Can DMARC pass if only DKIM is aligned?

Yes. DMARC passes if either SPF or DKIM aligns with your From: domain. You don't need both.

Why does SPF pass but DMARC still fail?

SPF may be passing for the Return-Path domain — but that domain doesn't match your From:. Alignment requires the domains to match.

What is relaxed alignment?

Relaxed alignment (default) allows subdomains to match — mail.yourdomain.com aligns with yourdomain.com. Strict requires an exact match.

How do I fix alignment for SendGrid?

Add SendGrid's three CNAME records to your DNS — they let SendGrid sign with your domain instead of theirs. See the SendGrid DMARC fix guide.

← All posts