What is DMARC alignment?

DMARC alignment requires the From: domain to match the domain used in SPF or DKIM authentication.

Why does DMARC fail with SendGrid?

SendGrid sends from its own Return-Path domain, breaking SPF alignment. You need to add SendGrid's CNAME records to enable domain alignment.

Can I pass DMARC with only DKIM alignment?

Yes. DMARC passes if either SPF or DKIM aligns with the From: domain — both are not required.

Glossary

DMARC Alignment — Why It Fails and How to Fix It

DMARC alignment is the requirement that the domain in the email's From: header matches the domain authenticated by SPF (the Return-Path domain) or DKIM (the d= tag). When you send email through a third-party provider like SendGrid or Mailgun, alignment often fails unless you configure the provider-specific CNAME records.

SPF Alignment vs DKIM Alignment

SPF alignment checks whether the Return-Path domain matches the From: domain. DKIM alignment checks whether the d= tag in the DKIM signature matches the From: domain. DMARC passes if either one aligns.

Why Third-Party Senders Break Alignment

When you send via SendGrid, the Return-Path is @sendgrid.net — not your domain. This breaks SPF alignment. To fix it, SendGrid requires you to add specific CNAME records that point to their servers, allowing them to sign with your domain.

How to Fix DMARC Alignment

Each provider requires different CNAME records:

Google Workspace: configured automatically
SendGrid: em####.yourdomain.com CNAME
Mailgun: specific CNAME records per region
Microsoft 365: selector1/selector2 CNAMEs

How to Check Alignment

Use DomainPreflight's alignment engine to detect which provider you're using and see exactly which CNAMEs are missing.

Full DNS and email authentication checks

Open DNS Preflight →