TIL: DKIM, SPF, and DMARC Alignment Are Not the Same Thing

Passing SPF and DKIM doesn't mean DMARC passes. Alignment is a separate check — and missing it is why your authenticated emails still land in spam.

This cost me a week of debugging on the Prachyam mail setup. SPF passed. DKIM passed. Emails still landed in spam. The reason: DMARC alignment failure.

What alignment means

DMARC doesn't just check that SPF and DKIM pass — it checks that they pass for the right domain.

Specifically, DMARC compares the domain in the email's From: header against:

• The domain in the SPF Return-Path (envelope sender)
• The domain in the DKIM d= tag

If neither matches the From: domain, DMARC fails — even if SPF and DKIM themselves are technically valid.

The common failure mode

You're sending via a third-party service (Mailchimp, SendGrid, or in our case a shared relay). The relay signs with its own DKIM key (d=sendgrid.net) and sets its own Return-Path. Both pass authentication. But your From: header is team@prachyam.org. Neither the DKIM domain nor the SPF domain matches prachyam.org. DMARC alignment fails.

Relaxed vs strict alignment

DMARC has two alignment modes, set in the _dmarc TXT record:

• aspf=r (relaxed): SPF domain just needs to share the organizational domain. mail.prachyam.org aligns with prachyam.org.
• aspf=s (strict): exact match required. mail.prachyam.org does NOT align with prachyam.org.
• Same logic for adkim=r/s.

Relaxed mode is almost always what you want for your own infrastructure.

The fix for relay sending

Either:

1. Have the relay sign with your domain's DKIM key (you give them the private key — not great)
2. Set up a custom domain in the relay's settings so it signs with d=prachyam.org
3. Use your own mail server (Postfix) and control DKIM signing yourself — what we did

Option 3 is the only one that gives you full alignment control without trusting a third party with your private key.

Quick check

If you see dmarc=fail alongside dkim=pass and spf=pass, alignment is your problem.