Explains the alignment concept that trips up most senders.
If your DMARC is failing, it means your emails are not passing the alignment checks that DMARC requires. This is the part that confuses most senders: you can have SPF passing and DKIM passing individually, yet DMARC still fails. The reason is dmarc alignment. DMARC does not just check whether SPF or DKIM pass. It checks whether the domain in either the SPF or DKIM result matches the domain in your email's From header. If neither aligns, DMARC fails even though both underlying checks technically passed.
DMARC alignment means the domain that passes SPF or DKIM must match the domain in the From address of your email. If you send from sales@yourdomain.com, then either the SPF check must pass for yourdomain.com specifically, or the DKIM signature must be signed by yourdomain.com. If SPF passes for a different domain (like your email provider's domain) and DKIM is signed by a different domain, neither aligns with the From domain, and dmarc not passing is the result.
Send a test email to Gmail and view the original headers. Find the DKIM result and note the d= value in the DKIM signature. This shows which domain signed the email. If you send from yourdomain.com but the DKIM signature shows d=otherdomain.com, DKIM alignment fails. The fix is to configure DKIM signing for your own domain in your email provider's settings. For Google Workspace, this means generating and enabling DKIM in the admin console for your domain. For Amazon SES, verify your domain and add the CNAME records for Easy DKIM.
In the same email headers, check the SPF result and the envelope from domain (also called the return path or MAIL FROM). If the envelope from domain is different from your From header domain, SPF alignment fails even if SPF itself passes. Some email services use their own domain as the envelope from, which breaks SPF alignment. Check whether your email provider lets you configure a custom envelope from or return path domain. If not, DKIM alignment becomes your path to passing DMARC.
Look up the TXT record at _dmarc.yourdomain.com. If no record exists, email providers treat DMARC as absent rather than failing, but you lose the protection and reputation benefit of having a DMARC policy. If the record exists but has syntax errors, it may be ignored. A correct record looks like: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com. Run it through a DMARC record validator to check for formatting issues.
DMARC passes if either SPF or DKIM aligns with the From domain. You only need one to align, not both. The most reliable dmarc fail fix for cold email senders is ensuring DKIM is properly configured for your sending domain. DKIM alignment is more dependable than SPF alignment because it survives email forwarding and does not depend on the envelope from configuration. Configure DKIM signing for your domain, verify it passes, and then check that the d= value in the DKIM header matches your From domain. Once DKIM aligns, DMARC will pass.
After making changes, send another test email and check the headers. The DMARC result should now show "pass." If it still fails, verify that the DKIM d= domain exactly matches your From domain, including any subdomain differences. DMARC relaxed alignment accepts subdomain matches by default, but strict alignment requires an exact match. If you are unsure of your DMARC alignment mode, check whether your record includes adkim=s (strict) and consider changing it to adkim=r (relaxed) or removing it entirely, as relaxed is the default.
When setting up a new sending domain, configure DKIM signing before sending any email. Verify alignment by checking headers on a test email. When adding new sending services or providers, verify that they support DKIM signing for your domain and that the alignment remains intact. Review DMARC aggregate reports periodically to catch alignment issues early. Any time you change email providers or add a new sending service, retest DMARC alignment.
EmailQo runs DNS authentication validation before every send, including DMARC record checks. If your DMARC record is missing, misconfigured, or if alignment issues are detected, the pre send health check surfaces the problem before your campaign goes out. This catches DMARC issues at the setup stage rather than after your emails have already been filtered due to failed authentication.
Yes. SPF and DKIM can each pass their own checks but fail DMARC alignment. DMARC requires that the domain which passes SPF or DKIM matches the From header domain. If both pass for different domains than your From address, DMARC still fails.
No. DMARC passes if either SPF or DKIM aligns. You only need one. For cold email, focusing on DKIM alignment is usually the most reliable approach because it survives forwarding and does not depend on envelope from configuration.
Relaxed alignment allows subdomain matches. If your From address is sales@yourdomain.com and DKIM signs as subdomain.yourdomain.com, relaxed alignment considers this a match. Strict alignment requires an exact domain match. Relaxed is the default and is recommended for most senders because it accommodates common subdomain configurations without breaking DMARC.