Blog

Why Your Emails Pass SPF and DKIM But Still Fail DMARC

This is the most confusing thing in email authentication.

SPF passes. DKIM passes. Your checker shows both green. And DMARC still fails.

It feels like a bug. It's not.

The Problem Is Alignment

SPF and DKIM passing is not enough. They have to pass for the right domain.

DMARC checks whether the SPF and DKIM domains match your From: header domain. This is called alignment.

When you send through a third-party provider, they pass SPF and DKIM for their own domain — not yours.

A Real Example

You send email from you@yourdomain.com through SendGrid.

SendGrid signs the email with DKIM. The signature passes verification.

But the DKIM d= tag says sendgrid.net. Not yourdomain.com.

SPF passes for the Return-Path — which is @sendgrid.net. Not @yourdomain.com.

DMARC checks the From: domain (yourdomain.com) against the SPF and DKIM domains (sendgrid.net). They don't match. DMARC fails.

The Fix

You need provider-specific CNAME records that let the provider sign with YOUR domain.

For SendGrid: add the three CNAME records from their Sender Authentication dashboard. After that, the DKIM d= tag shows yourdomain.com — and DMARC passes.

Every major provider has the same pattern. See the DMARC provider fix guides.

How to Diagnose This Quickly

Run DNS Preflight. The alignment visual shows FROM domain vs Return-Path domain as two boxes with an arrow.

Red arrow = not aligned. The provider detection card tells you exactly which CNAMEs are missing.

Diagnose your alignment

Open DNS Preflight →
Also read: DMARC alignment · SendGrid DMARC · Google Workspace · Microsoft 365

FAQ

How can SPF and DKIM pass but DMARC still fail?

SPF and DKIM can pass for the provider's domain — but DMARC requires them to pass for YOUR From: domain. That's alignment.

Which providers cause this most often?

SendGrid, Mailgun, HubSpot, Klaviyo — any provider that sends from their own infrastructure by default. All require specific CNAME setup.

Is there a quick way to tell if I have an alignment problem?

Run DNS Preflight — the alignment visual shows the mismatch immediately. The provider detection card shows which CNAMEs to add.

Do I need to fix both SPF and DKIM alignment?

No. DMARC passes if either SPF OR DKIM aligns. Fixing one is enough.

Will fixing alignment affect my existing email delivery?

No. Adding CNAME records doesn't interrupt existing delivery. Alignment improves once the provider verifies the records.

← All posts