Fix guide

How to Fix DMARC Alignment for Proofpoint

Proofpoint DMARC alignment in gateway and relay configurations requires coordinating SPF, DKIM signing settings in the Proofpoint admin console and ensuring your From: domain matches the signing domain.

Why alignment fails

Enterprise gateways alter mail paths; alignment requires consistent DKIM d= and SPF evaluation for your published policy.

Exact DNS records

DKIM TXT at selectors Proofpoint provides SPF: authorize all legitimate sending paths (consult Proofpoint for your topology)

Step-by-step fix

Step 1 Proofpoint → Email Authentication / DKIM settings (path varies by product)

Step 2 Enable DKIM signing for each sending domain

Step 3 Add selector TXT records Proofpoint provides

Step 4 Ensure SPF includes authorized hops for your mail flow

Step 5 Send test mail and inspect Authentication-Results headers

Step 6 Confirm public DKIM and SPF with DNS Preflight

Verify alignment and DNS in your browser

Open DNS Preflight →

Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Gateway vs relay — how does alignment differ?

Relays change which IP and envelope domain receivers see. Work with Proofpoint documentation for your deployment so SPF and DKIM d= align with From:.

How do I enable DKIM in Proofpoint?

Use the admin console for your Proofpoint product to generate keys and publish DNS TXT records at the given selectors.

How does SPF alignment work with relays?

Return-Path and sending IP must match your SPF design; complex relays may need SRS or aligned bounce domains — consult Proofpoint support.

Why is Proofpoint alignment complex?

Enterprise mail paths often involve multiple hops and gateways — alignment must be validated end-to-end.

How do I verify alignment?

Inspect headers on test messages, use DMARC reports, and DNS Preflight for published DNS.

← All DMARC fix guides

Run checks on domainpreflight.dev →