You check your DMARC reports and see something confusing: SPF is passing, but DMARC is still failing.
How is that possible?
It’s likely an SPF alignment failure. SPF can pass its authentication check while simultaneously failing alignment. And when SPF doesn’t align, DMARC treats it as a failure (unless DKIM saves the day). This trips up a lot of people because it seems counterintuitive.
It’s not an issue you can ignore, either. Get SPF alignment wrong, and legitimate emails get filtered to spam or blocked entirely. Get it right, and you’re one step closer to full DMARC enforcement.
Below, we’ll break down what SPF alignment means, why it fails, how to diagnose problems, and what tools can help you monitor alignment in real-time.
What is SPF alignment?
SPF alignment checks whether the domain in the Return-Path matches the domain in the visible From address (the RFC5322.From). For DMARC to consider SPF aligned, these domains need to match (either exactly or within the same organizational domain, depending on your alignment mode).
This is different from SPF authentication.
SPF authentication checks whether the sending server is authorized to send email for a specific domain. It looks at the Return-Path domain (also called the envelope from or RFC5321.MailFrom) and checks if the sending IP is listed in that domain’s SPF record. If yes, SPF passes. If no, SPF fails.
Here’s an example:
Aligned SPF (DMARC passes):
From: marketing@company.com
Return-Path: bounce@company.com
SPF Record: company.com authorizes sending IP
Result: SPF passes AND aligns ✓
Both the visible From address and the Return-Path use company.com. SPF authenticates the sending server, and the domains align. DMARC is happy.
Non-Aligned SPF (DMARC fails):
From: marketing@company.com
Return-Path: bounce@emailprovider.com
SPF Record: emailprovider.com authorizes sending IP
Result: SPF passes but does NOT align ✗
SPF authentication passes because the sending server is authorized in emailprovider.com’s SPF record. But the Return-Path domain (emailprovider.com) doesn’t match the From domain (company.com), so SPF alignment fails. Unless DKIM alignment passes, DMARC fails entirely.
SPF alignment: relaxed vs. strict
DMARC gives you two options for how strictly to enforce alignment: relaxed and strict.
Relaxed alignment (default)
Relaxed alignment allows subdomains to pass. As long as the organizational domain matches, you’re good.
Examples that pass relaxed alignment:
- From: user@company.com, Return-Path: bounce@company.com ✓
- From: user@company.com, Return-Path: mail@mail.company.com ✓
- From: user@mail.company.com, Return-Path: bounce@company.com ✓
Relaxed alignment is forgiving and accommodates common email infrastructure setups where subdomains handle different functions (like mail.company.com for mail servers or bounce.company.com for bounce handling).
Strict alignment
Strict alignment requires an exact domain match. Subdomains don’t cut it.
Examples:
- From: user@company.com, Return-Path: bounce@company.com ✓
- From: user@company.com, Return-Path: mail@mail.company.com ✗
Strict alignment is more secure but also more restrictive. Most organizations stick with relaxed alignment unless they have specific security requirements that demand strict matching.
You control this setting in your DMARC record using the aspf tag:
- aspf=r for relaxed (default if not specified)
- aspf=s for strict
Most people never need to change this from the default relaxed setting.
8 common causes of SPF alignment failures
SPF alignment failures usually come down to configuration issues with your email sending infrastructure. The more complex your email ecosystem, the more opportunities for alignment failures. Here are the usual suspects:
1. Third-party email services using their own Return-Path
This is the most common cause. You’re using Mailchimp, Twilio SendGrid, Constant Contact, or another email service provider, and they’re sending email with your domain in the From address but their domain in the Return-Path.
Example: Your marketing email shows “From: news@yourcompany.com” but the Return-Path is “bounce@sendgrid.net”.
SPF authenticates against sendgrid.net, but doesn’t align with yourcompany.com.
2. Email forwarding services and mailing lists
When someone forwards your email or when mailing lists redistribute messages, the Return-Path often changes to the forwarding service’s domain. This breaks SPF alignment (and usually SPF authentication too, which is why DKIM is so important for forwarded email).
3. Subdomain mismatches with strict alignment
If you’ve set your DMARC policy to strict alignment and you’re sending from subdomains, you’ll fail alignment even though relaxed mode would pass. This is usually an unintended consequence of being overly restrictive.
4. Custom Return-Path domains not matching From domain
Some email platforms let you set a custom Return-Path domain. If you configure it as “bounce.yourdomain.com” but send from “marketing.differentdomain.com”, alignment fails. The organizational domains need to match.
5. Marketing platforms with default configurations
Many email marketing platforms come with default settings that use their infrastructure for Return-Path handling. Unless you specifically configure a custom Return-Path that matches your From domain, you’ll fail alignment right out of the box.
6. Transactional email services on autopilot
Services that send transactional emails (password resets, order confirmations, etc.) often use their own domains for bounce handling unless you explicitly configure them otherwise. Each service needs individual attention.
7. Misconfigured email forwarding rules
Internal email forwarding rules can break SPF alignment. If your mail server forwards messages and rewrites the Return-Path in the process, you’ve just created an alignment problem for those forwarded messages.
8. Multiple sending sources with inconsistent configurations
Marketing is using one ESP, transactional email using another service, support tickets coming from a helpdesk platform, and sales sending through a CRM. Each has its own Return-Path configuration, and they’re not all aligned with your From domain.
The “SPF domain does not align with RFC5322 From domain” error
If you’ve looked at DMARC reports or email authentication logs, you’ve probably seen this error message: “SPF domain does not align with RFC5322.From domain.”
- RFC5322.From is the technical name for the visible From address. It’s the one recipients see in their email client. It’s the “marketing@company.com” that shows up when you open the message.
- The “SPF domain” in this error refers to the domain used for SPF authentication, which is the Return-Path domain (technically called RFC5321.MailFrom).
So this error is really saying that the domain in your Return-Path doesn’t match the domain in your visible From address, so SPF alignment fails.
How to diagnose SPF alignment issues
Diagnosing your SPF alignment issues starts with knowing where to look. After that, it’s relatively simple:
Step 1: Check your DMARC reports
DMARC aggregate reports tell you exactly which emails are failing alignment and why. Look for the SPF alignment result in your reports. It’ll show:
- Whether SPF authentication passed or failed
- Whether SPF alignment passed or failed
- The Return-Path domain used
- The From domain used
If you see “SPF auth: pass” but “SPF align: fail,” you’ve found your problem—the domains don’t match.
Step 2: Examine email headers
Open an email header from a sent message (every email client has a “show original” or “view headers” option) and look for these fields:
Return-Path: <bounce@emailprovider.com>
From: marketing@yourcompany.com
If these domains don’t match (or don’t share the same organizational domain), that’s your alignment problem right there.
Step 3: Test SPF alignment
Use online tools to test your SPF setup:
- Valimail’s domain checker
- MXToolbox SPF checker
- DMARC Analyzer tools
These tools will tell you if your SPF record is properly configured and whether alignment is passing for your current setup.
Step 4: Document all sending sources
Make a list of every service that sends email on your behalf:
- Marketing platforms
- Transactional email services
- Support desk systems
- CRM tools
- Notification services
For each one, check what domain they’re using for Return-Path. Any that don’t match your From domain are causing alignment failures.
Real-time monitoring tools for SPF alignment
Fixing SPF alignment once is great, but keeping it fixed as your email infrastructure evolves takes ongoing monitoring.
Ultimately, your email ecosystems will change. Constantly. New services get added, old ones get retired, configurations drift, and suddenly alignment breaks without anyone noticing. Well, until deliverability tanks.
Real-time monitoring catches these problems immediately, often before they impact deliverability. You get alerted when alignment fails, so you can fix it before customers complain about missing emails. And if you want a one-time audit, just use our free SPF checker.
Built-in monitoring: DMARC aggregate reports
DMARC reports provide alignment data, but they have limitations:
Pros:
- Free and built into DMARC
- Comprehensive data about all email sent from your domain
- Shows both authentication and alignment results
Cons:
- Reports arrive daily (not real-time)
- Come in XML format (not user-friendly)
- Require manual analysis or parsing tools
- High volume can be overwhelming
DMARC reports are valuable, but not exactly real-time monitoring.
Valimail Monitor: automated SPF alignment tracking
Valimail Monitor automatically processes your DMARC reports and provides instant visibility into SPF alignment across all your sending sources.
What makes it different:
- Identifies sending services by name (not just IP addresses)
- Shows alignment status for each service at a glance
- Alerts you when new services appear or alignment breaks
- Tracks alignment trends over time
- Completely free for unlimited domains
Instead of manually parsing XML reports to figure out why SPF alignment is failing, you get a clean dashboard showing exactly which services are aligned and which aren’t.
Valimail Monitor is completely free to use.
Best practices for maintaining your SPF alignment
Prevention is easier than troubleshooting. Follow these best practices to keep your SPF alignment healthy:
- Document all sending services and their configurations. Maintain a list of every platform that sends email on your behalf, including how it’s configured for Return-Path. Update this list whenever you add or remove services.
- Test before deploying new email services. Before going live with a new ESP or email tool, send test messages and check the headers. Verify that SPF alignment passes before sending to your entire list.
- Regular audits of email authentication. Schedule quarterly reviews of your email authentication setup. Check alignment rates, review DMARC reports, and verify all services are properly configured.
- Centralized management of email infrastructure. Don’t let every department set up its own email services without coordination. Route all email infrastructure decisions through a central team (IT, security, or marketing ops) that understands alignment requirements.
- Training teams on alignment requirements. Make sure the people who select and configure email tools understand SPF alignment. A quick training session can prevent configuration headaches down the road.
- Monitoring and alerting strategies. Don’t just set up monitoring—actually respond to the alerts. Establish clear processes for investigating and fixing alignment failures when they occur.
Fix (and prevent) SPF alignment issues with Valimail
Most SPF alignment failures come down to Return-Path configuration at your email service providers. Get those configured correctly, monitor alignment rates continuously, and you’ll avoid the deliverability problems that hurt organizations with broken alignment.
Valimail Monitor makes this easy by automatically tracking SPF alignment across all your sending services, identifying problems, and alerting you when something breaks. It’s free, it’s automated, and it saves you from manually parsing DMARC reports.
Get visibility into what’s actually happening with your email authentication with Valimail Monitor.
Frequently asked questions
Q: Can SPF pass but alignment fail?
Yes, absolutely. This is the most common SPF issue people encounter. SPF authentication checks whether the sending IP is authorized for the Return-Path domain. SPF alignment checks whether the Return-Path domain matches the From domain. You can pass authentication (the IP is authorized) but fail alignment (the domains don’t match).
Q: What’s the difference between relaxed and strict SPF alignment?
Relaxed alignment (the default) allows subdomains to pass as long as they share the same organizational domain. Strict alignment requires an exact domain match with no subdomain flexibility.
Q: Will fixing SPF alignment improve my email deliverability?
Yes, especially if you’re working toward DMARC enforcement. SPF alignment is one of two ways to pass DMARC (the other is DKIM alignment). Without at least one aligned authentication method, your emails are more likely to be filtered or blocked.
Q: Do I need to fix SPF alignment if DKIM alignment is passing?
Technically, no. DMARC only requires one aligned authentication method (SPF or DKIM). If DKIM alignment consistently passes, your DMARC checks will succeed even with failed SPF alignment. However, it’s still best practice to fix SPF alignment because it provides redundancy. If DKIM breaks for any reason, you want SPF as a backup.
Q: How long does it take for SPF alignment fixes to take effect?
DNS changes can take a few hours to propagate fully, though most changes are visible within minutes. Configuration changes at your email service provider (like setting up a custom Return-Path) typically take effect immediately, but you might need to wait up to 24 hours to see the results reflected in DMARC reports.
Q: Can email forwarding break SPF alignment?
Yes. When email gets forwarded, the forwarding server often becomes the new sender, which can break both SPF authentication and alignment. This is one reason why DKIM matters. DKIM signatures survive forwarding better than SPF. Some advanced mail servers use Sender Rewriting Scheme (SRS) to preserve SPF during forwarding.
