SPFWise
dkim

How to Fix DKIM Alignment Failures

DKIM can pass while DMARC still fails. The reason is alignment. Here is what alignment means and how to make your signature match your From domain.

Jul 3, 20264 min read

DKIM can pass and DMARC can still fail. The reason is almost always alignment. A message can carry a valid DKIM signature for one domain while showing a different domain in the From address, and DMARC only accepts a pass when those domains match. Here is how to fix DKIM alignment.

What alignment means

DMARC requires that the domain in the visible From address matches the domain that DKIM signed for, or the domain that passed SPF. If your mail shows you@yourdomain.com in the From line but the DKIM signature is for sendgrid.net, DKIM passes for the sender but does not align with your domain, so DMARC fails.

The common cause

This happens when a sending platform signs mail with its own domain by default. Marketing tools, helpdesks and transactional senders often do this until you set up branded DKIM for your own domain.

The fix

Set up DKIM for your own domain inside the sending platform. Every major provider offers domain authentication that publishes a DKIM record under your domain and signs with it, so the signature aligns with your From address. Once your own DKIM is signing, the signature domain and the From domain match and DMARC passes. See how to set up DKIM.

Relaxed vs strict alignment

DMARC defaults to relaxed alignment, where a subdomain matches the parent domain. Strict alignment requires an exact match. Relaxed is right for almost everyone, so if you set adkim=s, confirm you really need it.

Verify

Send a test message from the platform and confirm the DKIM signature domain matches your From domain, then scan your domain.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

How to Fix DKIM Alignment Failures | SPFWise