Quick answer
Your SPF check passed, your DKIM signature verified, and DMARC still failed. That is not a contradiction. DMARC does not ask whether SPF or DKIM passed. It asks whether the identity they authenticated is the same domain a reader sees in the From: header. That second test is called identifier alignment (RFC 7489 §3.1).
A message passes DMARC when at least one of SPF or DKIM produces a pass and that pass is on an identifier that aligns with the RFC5322.From domain. One aligned mechanism is enough, so you never need both to align. But a passing mechanism that is not aligned counts for nothing, which is exactly how SPF passes while DMARC fails.
What alignment actually compares
DMARC authenticates the RFC5322.From domain, the one your mail client displays. SPF and DKIM each authenticate a different identity, so alignment is the step that ties their result back to the visible sender:
- DKIM authenticates the domain in the signature's
d=tag. Alignment compares thatd=domain against theFromdomain (RFC 7489 §3.1.1). See DKIM selectors and keys for whered=comes from. - SPF authenticates the envelope sender, the
RFC5321.MailFromaddress, also called the return-path or bounce address. Alignment compares that envelope domain against theFromdomain (RFC 7489 §3.1.2).
The envelope sender and the From: header are two separate addresses that only look the same when you send your own mail directly. The moment a platform sends on your behalf, they usually diverge, and that gap is where alignment does its work.
Relaxed vs strict, and the adkim and aspf tags
Two tags in your DMARC record choose how forgiving the comparison is: adkim for the DKIM path and aspf for the SPF path. Each takes one of two values, and both default to relaxed when the tag is absent (RFC 7489 §6.3).
| Tag | Value | Mode | What has to match |
|---|---|---|---|
adkim / aspf | r (default) | relaxed | the same Organizational Domain (subdomains align) |
adkim / aspf | s | strict | an exact match of the full domain name |
In relaxed mode, mail.example.com aligns with example.com because they share the Organizational Domain example.com. In strict mode the two fully qualified names must be identical, so mail.example.com would not align with example.com (RFC 7489 §3.1.1). A record that demands strict on both paths looks like this:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc@example.com
Strict is not "more secure" in a way that helps most senders. It mainly breaks subdomains and shared infrastructure that would have been fine under relaxed. The alignment mode is independent of the DMARC policy mode (p=none, p=quarantine, p=reject), which is a separate decision about what a receiver does once alignment has been judged.
How the Organizational Domain is determined
Relaxed alignment hinges on the Organizational Domain, so it has to be defined precisely. DMARC uses a Public Suffix List: it takes the public suffix (a registry-controlled part such as com, co.uk, or pvt.k12.ma.us) and adds the one label immediately above it (RFC 7489 §3.2).
mail.marketing.example.comreduces toexample.com.example.co.ukreduces toexample.co.uk, becauseco.ukis the public suffix.
Both a From domain and an authenticated domain reduce this way, and relaxed alignment passes when the two reduced Organizational Domains are equal. This is why any subdomain of your organizational domain aligns under relaxed, and why choosing the wrong registrable boundary (treating co.uk as if uk were the suffix) would produce the wrong answer.
Why SPF passes but DMARC still fails
The paradox in the opening almost always traces to one of three shapes. Each has its own detailed walkthrough, so this page names the cause and points you at the fix:
- SPF authenticated the platform's bounce domain, not yours. The envelope
RFC5321.MailFromis on the sender's domain while yourFrom:is on yours, so SPF passes but is not aligned. This is return-path misalignment. - DKIM verified, but signed with the wrong
d=. The signature is valid yet itsd=domain is not yourFromdomain, so DKIM passes without aligning. This is the DKIM-passes-but-DMARC-fails case. - A third-party sender can only align under relaxed, and you set strict.
adkim=soraspf=srejects a subdomain or shared-domain result that relaxed would have accepted. See when DMARC is too strict for a third-party sender.
To see which identities actually aligned on a live domain, run a lookup with the DMARC checker. For how alignment sits inside the wider SPF plus DKIM plus DMARC picture, including the full pass/fail matrix, start from email authentication explained.