Errors

DMARC Alignment Failing — Why and How to Fix It

DMARC alignment fails when your From: domain doesn’t match the domain used for SPF or DKIM. Third-party senders often need their CNAME bundle — not just your SPF TXT.

What this error means

DMARC doesn’t stop at SPF/DKIM pass — the domain in From: must match the domain that passed SPF (Return-Path) or DKIM (d=). SendGrid signing as sendgrid.net is a DKIM pass — but not aligned with your brand.

Common causes

ESP not set up for branded sending (missing CNAMEs)
Return-Path doesn’t match your From: domain
DKIM selector missing or pointing at the provider’s domain only

Fix it step by step

Step 1 Run DNS Preflight → check alignment at the top of ACTIONS — does From match Return-Path?

Step 2 Identify which provider is causing the mismatch (provider detection cards)

Step 3 Open the provider-specific fix guide for your sender

Step 4 Add the required CNAME records to your DNS

Step 5 Wait up to 48 hours for propagation then re-run DNS Preflight

Step 6 Confirm alignment shows green → ✓

Run DNS Preflight to see alignment and missing DNS

Open DNS Preflight →

Also read: DMARC fix guides by provider · DMARC alignment · DMARC

FAQ

Why does DMARC fail even when SPF and DKIM both pass?

DMARC needs alignment — passes must be for your domain, not sendgrid.net. A pass on the wrong domain doesn’t count.

How do I know which provider is causing the failure?

DNS Preflight detects your sender and shows which CNAMEs or records are missing.

Can DMARC pass with only DKIM alignment?

Yes — either SPF or DKIM alignment is enough. You don’t need both.

What is relaxed vs strict DMARC alignment?

Relaxed (default) lets subdomains align with the org domain. Strict needs an exact domain match.

How long after fixing CNAMEs will DMARC pass?

DNS can take up to 48 hours. Re-run Preflight then watch aggregate reports.

← All error fixes

Open DNS Preflight and re-check your zone →