← Back to Learn Understanding Reports

Why mail can fail DMARC even when SPF passes

This is one of the most confusing DMARC scenarios. The email passed SPF — the sending server is authorized — but DMARC still fails. How?

The short answer: alignment

DMARC doesn't just check whether SPF or DKIM passes. It also checks whether the domain that passed aligns with the domain in the From: header that the recipient sees.

How it works

When you send an email, there are two "from" addresses:

  • Envelope From (Return-Path) — used in the SMTP transaction. This is what SPF checks.
  • Header From — what the recipient sees in their email client. This is what DMARC protects.

If these two domains don't match, SPF passes (the envelope domain is authorized) but DMARC alignment fails (the header domain doesn't match).

Common causes

Scenario 1: Third-party service sending as your domain

A SaaS platform (project management tool, CRM, notification service, etc.) sent an email with your domain in the From: header but signed it with their own DKIM key. SPF may pass for their sending infrastructure, but neither SPF nor DKIM aligns with your domain.

How to identify: The DKIM Domain field in the report will show the service's domain (not yours). If you use this service, they need to set up custom DKIM signing for your domain.

Fix: Ask the service to support custom DKIM for your domain, or configure them to use your domain as the envelope sender.

Scenario 2: Unauthorized use of your domain

Someone registered an account on a third-party service using your domain's email address — either maliciously (phishing) or accidentally. The service then sends email "from" your domain, but signs with their own DKIM key.

How to identify: The DKIM Domain shows a service you don't use. Your organization has no relationship with this sender.

Fix: This is exactly what a DMARC reject policy prevents. With p=none these messages are delivered. Move toward p=quarantine or p=reject to block them.

Scenario 3: Forwarded messages

Someone forwarded a message that originally came from your domain. The forwarding server preserves the original From: header but sends from its own infrastructure. SPF may pass for the forwarding server, but it doesn't align with your domain. DKIM may also break if the message was modified in transit.

How to identify: The sending IP and reverse DNS point to a mail server or forwarding service, not a SaaS platform. The DKIM Domain may be empty or show a different domain.

Fix: Forwarding-related failures are expected and generally harmless. Rely on DKIM (which survives most forwarding) for alignment. Consider ARC (Authenticated Received Chain) for trusted forwarding paths.

Mailing lists

Some mailing lists rewrite the From: header or modify the message body, breaking DKIM. If SPF also doesn't align (because the list server isn't in your SPF), DMARC fails completely.

How to diagnose in dmarco

  1. In Reports, look for records with failure type SPF_PASS_DMARC_FAIL
  2. Check the Envelope From field — if it's different from the Header From, that's the alignment mismatch
  3. Check the DKIM Domain — if DKIM also failed or isn't aligned, there's no alternative path to DMARC pass

Key takeaway: SPF passing is necessary but not sufficient. For DMARC to pass, either SPF or DKIM must both pass and align with the From domain.

Related: Forwarding and overrides explained · How to read a DMARC report