DMARC alignment with SPF and DKIM
dmarc alignment · spf dkim dmarc · email deliverability
Why valid SPF or DKIM can still fail DMARC when envelope, header From, and signing domains do not align.
By DN01 Network Team
DMARC asks whether the identity that passed SPF or DKIM aligns with the domain visible to the recipient, not merely whether a check returned pass. The DN01 DMARC Analyzer fetches the _dmarc TXT record, parses tags, and highlights policy and alignment settings operators need before enforcement. Operators use it during migrations, incident triage, and vendor onboarding when they need repeatable evidence rather than ad-hoc screenshots.
Forwarding breaks SPF on many paths, which is why teams rely on DKIM alignment with the customer From domain.
Use DN01 to read aspf, adkim, and alignment modes, then fix signing domains or envelope senders before raising policy to quarantine or reject. Combine DMARC output with SPF and DKIM validators on the same domain so authentication fixes happen together. Save the result permalink in the ticket, record the check time, and compare output before and after configuration changes or client updates.
Re-run the check after every meaningful change and keep the guide link in the team runbook so new operators follow the same diagnostic order.
Tags DN01 highlights
Policy p= and subdomain sp= define receiver actions; pct= limits how much mail the policy applies to during rollout.
Alignment modes aspf and adkim control whether relaxed or strict matching is required between authenticated domains and the visible From header.
Rollout mistakes
Publishing reject while marketing or ticketing platforms still send with vendor DKIM breaks legitimate mail silently or via spam folders.
Ignoring aggregate reports means you discover misaligned sources only after customers complain about missing receipts.
Safe enforcement path
Start at p=none with rua, fix alignment for every approved sender, then move to quarantine before reject.
Use pct= below one hundred only as a temporary bridge; document the target date for full enforcement in your mail operations runbook.
Documentation and next steps
Archive checker output in change tickets, vendor reviews, and incident records so the next operator sees the same parsed evidence instead of a screenshot alone.
Link this guide and the tool landing in team wikis, then pair results with related DN01 utilities when the issue crosses DNS, mail, TLS, or security layers. Note who ran the check, which input was used, and whether the result permalink was shared with the requester.
When to escalate or combine checks
If DMARC Analyzer output still disagrees with user reports after a restart or cache clear, capture timestamps, raw inputs, and the DN01 permalink before changing production DNS, mail, TLS, or auth settings.
Escalate to platform or identity owners when enterprise policy blocks the fix; otherwise pair this guide with adjacent DN01 DNS, mail, TLS, or security utilities so one ticket closes the loop.
| Policy | Typical use |
|---|---|
| p=none | Monitor and collect rua reports |
| p=quarantine | Soften failures into spam folders |
| p=reject | Block spoofed mail after alignment is clean |
| pct<100 | Gradual enforcement only |
Frequently asked questions
- Does DMARC replace SPF or DKIM?
No. DMARC depends on SPF and DKIM results plus alignment with the From domain.
- Should every domain use p=reject?
Many sending domains should eventually, but only after reports show aligned legitimate mail and no surprise sources.
- Why show pct separately?
A reject policy with pct=20 is not full enforcement. DN01 surfaces pct so operators do not overestimate protection.
- Can I share results with my team?
Yes. Copy the DN01 output or permalink into change tickets so everyone reviews the same parsed evidence instead of screenshots alone.