Edge case: DMARC shows SPF passing but alignment failing on specific mail servers

You've set up DMARC, you're receiving aggregate reports, and you're diligently working through the data. Most of the time, things make sense: SPF passes, DKIM passes, and DMARC passes. Or, if something fails, it's clear why.

But then you encounter an edge case that makes you scratch your head: DMARC reports show SPF passing, yet SPF alignment for that same email stream is failing. How can SPF pass but alignment fail? Isn't alignment part of the SPF check? Not quite. This scenario is a common source of confusion, especially when dealing with third-party email senders.

Let's break down what's happening, why it happens, and how to fix it.

The DMARC Alignment Basics (Quick Recap)

Before we dive into the edge case, let's quickly review the core concepts of DMARC alignment for SPF and DKIM.

DMARC relies on either SPF or DKIM (or both) passing and being aligned with the From: header domain. The From: header domain is what your recipients see in their email client.

  • SPF Alignment: For SPF to be DMARC-aligned, the domain in the Return-Path (also known as the envelope-sender or Mail From address) must match the From: header domain.

    • Strict Alignment (adspf=s): The Return-Path domain must be identical to the From: header domain. sub.yourdomain.com does not align with yourdomain.com.
    • Relaxed Alignment (adspf=r): The Return-Path domain can be a subdomain of the From: header domain. sub.yourdomain.com does align with yourdomain.com. This is the default and often recommended for flexibility.

  • DKIM Alignment: For DKIM to be DMARC-aligned, the domain specified in the d= tag within the DKIM signature must match the From: header domain.

    • Strict Alignment (adkim=s): The d= domain must be identical to the From: header domain.
    • Relaxed Alignment (adkim=r): The d= domain can be a subdomain of the From: header domain. This is also the default.

DMARC passes if at least one of these (SPF or DKIM) passes and is aligned.

The Core Problem: SPF "Passing" But Alignment "Failing"

The confusion arises because the DMARC report indicates that "SPF passed." This means that the SPF check itself was successful for the domain specified in the Return-Path. The sending IP was authorized by the SPF record of the Return-Path domain.

However, for DMARC, that's only half the story. The other half is alignment. If the Return-Path domain, for which SPF passed, is not the same domain (or a subdomain, depending on your adspf setting) as your From: header domain, then DMARC's SPF alignment requirement is not met.

So, SPF passed for domain-A.com, but DMARC's SPF alignment failed because your From: header was domain-B.com, and domain-A.com is not domain-B.com (nor a subdomain).

Common Scenarios Leading to This Edge Case

This usually happens when a third party is involved in sending your email.

Scenario 1: Third-Party Email Senders (ESPs, CRMs, Transactional Services)

This is by far the most common culprit. Services like Salesforce, Mailchimp, SendGrid, HubSpot, Zendesk, etc., often rewrite the Return-Path to their own domain for bounce handling and feedback loops.

Example: You send an email via Salesforce. * Your From: header: info@yourcompany.com * Salesforce rewrites the Return-Path: