DKIM Alignment Explained: Why DKIM Passes but DMARC Fails
Understand DKIM alignment and why your emails can pass DKIM but still fail DMARC. Learn the difference between relaxed and strict alignment modes.
Last updated: 2026-04-23
You run a DKIM check, and the result comes back "dkim=pass." Everything looks fine. Then you pull up your DMARC reports and see a string of failures. How is that possible? If DKIM passed, shouldn't DMARC pass too?
The answer comes down to something called alignment. DMARC (Domain-based Message Authentication, Reporting, and Conformance) does not just check whether a DKIM (DomainKeys Identified Mail) signature is valid; it also checks whether the domain that signed the message matches the domain in your From address. When those domains don't match, DKIM passes on its own but DMARC treats it as if it never happened.
This is one of the most confusing parts of email authentication, and it trips up businesses every day, especially those using third-party services to send email.
What Is DKIM Alignment?
Every DKIM signature includes a d= tag that identifies which domain signed the message:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector; ...
Your email's From header shows the address recipients see:
From: hello@yourdomain.com
DKIM alignment means the d= domain matches the From header domain. DMARC alignment is defined in RFC 7489, Section 3.1. When they match, DMARC counts the DKIM pass toward authentication. When they don't match, DMARC ignores the DKIM result entirely, even though the signature itself is perfectly valid.
This is intentional. DMARC exists to prevent domain spoofing. A valid DKIM signature from some other domain proves that domain sent the email, but it says nothing about whether your From domain authorized it.
Relaxed vs Strict Alignment
Your DMARC record controls alignment mode through the adkim= tag. The two modes handle subdomains very differently.
| Alignment Mode | How It Works |
|---|---|
| Relaxed (adkim=r) | Organizational domains must match. Subdomains are allowed. If your From address is user@mail.yourdomain.com and DKIM signs with d=yourdomain.com, this passes because the root domains match. |
| Strict (adkim=s) | Domains must match exactly. If your From address is user@mail.yourdomain.com and DKIM signs with d=yourdomain.com, this fails because the subdomain does not match the root domain exactly. |
Relaxed alignment is the default when adkim= is not specified in your DMARC record. Most businesses should stick with relaxed; strict alignment breaks common configurations and rarely adds meaningful security. You can check your current DMARC alignment setting at dmarcrecordchecker.com.
Common Alignment Failures
Third-Party Services Signing With Their Own Domain
This is the number one cause of alignment failures. You use a service like Mailchimp or HubSpot to send marketing campaigns. Your From address says marketing@yourdomain.com, but the email service signs with their domain:
From: marketing@yourdomain.com
DKIM-Signature: d=mailchimp.com; ...
DKIM passes (the signature is valid), but mailchimp.com does not match yourdomain.com. DMARC sees an unaligned result and ignores it completely.
The fix is straightforward: most email services support custom DKIM signing. You add their DNS (Domain Name System) records to your domain, and they sign with d=yourdomain.com instead of their own domain. Look for "domain authentication" or "domain verification" in your provider's settings.
Subdomain Mismatches Under Strict Alignment
If your DMARC policy uses strict alignment and you send from subdomains, you can create failures without realizing it. An email from news@updates.yourdomain.com signed with d=yourdomain.com passes under relaxed alignment but fails under strict, because the subdomain does not exactly match the root domain.
The simplest fix is switching to relaxed alignment. If you need strict mode for security reasons, configure your mail server to sign with the exact subdomain.
How to Check Your Alignment
The easiest way to spot alignment problems is by looking at your email headers.
Send a test email from the service you want to check to an external account (Gmail works well). Open the received email, click the three dots, and select "Show original." Find the Authentication-Results header:
dkim=pass header.d=yourdomain.com
dmarc=pass
If you see dkim=pass but dmarc=fail, compare the header.d= domain against your From address domain. A mismatch means you have an alignment problem.
Use our free DKIM checker to verify your DNS record is published on the correct domain:
Fixing Alignment Issues
Configure third-party services to sign with your domain
Go into each email service you use (marketing platforms, CRMs, transactional senders) and enable custom domain authentication. They will provide DNS records to add to your domain so they can sign with d=yourdomain.com. Generate any additional DKIM keys you need at dkimcreator.com.
Set up custom DKIM for each sending service
Every service that sends email as your domain needs its own DKIM configuration. Add each provider's DNS records and verify them. You can have multiple DKIM records for different selectors on the same domain.
Consider relaxed alignment if using subdomains
If you send from subdomains (like mail.yourdomain.com or events.yourdomain.com), make sure your DMARC policy uses relaxed alignment. Set adkim=r in your DMARC record or remove the adkim= tag entirely. Relaxed is the default.
DKIM Alignment and DMARC Policy
Alignment is what makes DMARC enforcement possible. When you set your DMARC policy to p=reject, receiving servers will block emails that fail both SPF and DKIM alignment. If your DKIM signatures are valid but unaligned, they offer zero protection under DMARC.
Before moving to p=reject, audit every service that sends email as your domain. Make sure each one signs with your domain (not theirs) so DKIM alignment passes. Check your SPF (Sender Policy Framework) configuration at spfrecordcheck.com as well. SPF alignment can serve as a backup when DKIM alignment is difficult to achieve for a particular sender.
Both aligned is best
DMARC passes if either SPF or DKIM is aligned. But having both provides the strongest protection and the best deliverability. Don't rely on just one.
Monitor your DMARC reports with deliverabilitychecker.com to catch alignment failures as they happen, rather than discovering them weeks later when deliverability has already suffered.
Related Articles
Related Articles
References
- RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC). IETF standard defining DMARC, including alignment requirements (Section 3.1).
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring