TIL: DKIM, SPF, and DMARC Alignment Are Not the Same Thing

This cost me a week of debugging on the Prachyam mail setup. SPF passed. DKIM passed. Emails still landed in spam. The reason: DMARC alignment failure.

What alignment means

DMARC doesn't just check that SPF and DKIM pass — it checks that they pass for the right domain.

Specifically, DMARC compares the domain in the email's From: header against:

The domain in the SPF Return-Path (envelope sender)
The domain in the DKIM d= tag

If neither matches the From: domain, DMARC fails — even if SPF and DKIM themselves are technically valid.

The common failure mode

You're sending via a third-party service (Mailchimp, SendGrid, or in our case a shared relay). The relay signs with its own DKIM key (d=sendgrid.net) and sets its own Return-Path. Both pass authentication. But your From: header is team@prachyam.org. Neither the DKIM domain nor the SPF domain matches prachyam.org. DMARC alignment fails.

Relaxed vs strict alignment

DMARC has two alignment modes, set in the _dmarc TXT record:

Plain text

v=DMARC1; p=quarantine; aspf=r; adkim=r;

aspf=r (relaxed): SPF domain just needs to share the organizational domain. mail.prachyam.org aligns with prachyam.org.
aspf=s (strict): exact match required. mail.prachyam.org does NOT align with prachyam.org.
Same logic for adkim=r/s.

Relaxed mode is almost always what you want for your own infrastructure.

The fix for relay sending

Either:

Have the relay sign with your domain's DKIM key (you give them the private key — not great)
Set up a custom domain in the relay's settings so it signs with d=prachyam.org
Use your own mail server (Postfix) and control DKIM signing yourself — what we did

Option 3 is the only one that gives you full alignment control without trusting a third party with your private key.

Quick check

What alignment means

DMARC doesn't just check that SPF and DKIM pass — it checks that they pass for the right domain.

Specifically, DMARC compares the domain in the email's From: header against:

The domain in the SPF Return-Path (envelope sender)

The domain in the DKIM d= tag

If neither matches the From: domain, DMARC fails — even if SPF and DKIM themselves are technically valid.

The common failure mode

Relaxed vs strict alignment

DMARC has two alignment modes, set in the _dmarc TXT record:

Plain text

v=DMARC1; p=quarantine; aspf=r; adkim=r;

aspf=r (relaxed): SPF domain just needs to share the organizational domain. mail.prachyam.org aligns with prachyam.org.

aspf=s (strict): exact match required. mail.prachyam.org does NOT align with prachyam.org.

Same logic for adkim=r/s.

Relaxed mode is almost always what you want for your own infrastructure.

The fix for relay sending

Either:

Have the relay sign with your domain's DKIM key (you give them the private key — not great)

Set up a custom domain in the relay's settings so it signs with d=prachyam.org

Use your own mail server (Postfix) and control DKIM signing yourself — what we did

Option 3 is the only one that gives you full alignment control without trusting a third party with your private key.

TIL: DKIM, SPF, and DMARC Alignment Are Not the Same Thing

What alignment means

The common failure mode

Relaxed vs strict alignment

The fix for relay sending

Quick check

Stay in the loop

Comments

Semantically related

TIL: Postfix Queue Management Under Load

Building Mail Infrastructure for 20 Million Emails: What Nobody Tells You

TIL: DKIM, SPF, and DMARC Alignment Are Not the Same Thing

What alignment means

The common failure mode

Relaxed vs strict alignment

The fix for relay sending

Quick check

Stay in the loop

Comments

Semantically related

TIL: Postfix Queue Management Under Load

Building Mail Infrastructure for 20 Million Emails: What Nobody Tells You

Why I Self-Host Everything (And What It's Actually Cost Me)