← Back to Learn Understanding Reports

Why mail can fail DMARC even when SPF passes

This is one of the most confusing DMARC scenarios. The email passed SPF — the sending server is authorized — but DMARC still fails. How?

The short answer: alignment

DMARC doesn't just check whether SPF or DKIM passes. It also checks whether the domain that passed aligns with the domain in the From: header that the recipient sees.

How it works

When you send an email, there are two "from" addresses:

  • Envelope From (Return-Path) — used in the SMTP transaction. This is what SPF checks.
  • Header From — what the recipient sees in their email client. This is what DMARC protects.

If these two domains don't match, SPF passes (the envelope domain is authorized) but DMARC alignment fails (the header domain doesn't match).

Common causes

Third-party senders

When SendGrid, Mailchimp, or similar services send on your behalf, they often use their own envelope domain (e.g., bounce.sendgrid.net) for bounce handling. SPF passes for their domain, but your domain in the From: header doesn't align.

Fix: Configure the service to use your domain as the envelope sender, or set up DKIM signing with your domain (DKIM alignment is an alternative path to DMARC pass).

Email forwarding

When someone forwards your email to another address, the forwarding server's IP isn't in your SPF record. SPF fails. Even if SPF had passed at the original receiver, the forwarding server is a new connection.

Fix: Rely on DKIM for forwarded mail. DKIM survives forwarding because it signs the message content, not the connection.

Mailing lists

Some mailing lists rewrite the From: header or modify the message body, breaking DKIM. If SPF also doesn't align (because the list server isn't in your SPF), DMARC fails completely.

How to diagnose in dmarco

  1. In Reports, look for records with failure type SPF_PASS_DMARC_FAIL
  2. Check the Envelope From field — if it's different from the Header From, that's the alignment mismatch
  3. Check the DKIM Domain — if DKIM also failed or isn't aligned, there's no alternative path to DMARC pass

Key takeaway: SPF passing is necessary but not sufficient. For DMARC to pass, either SPF or DKIM must both pass and align with the From domain.

Related: Forwarding and overrides explained · How to read a DMARC report