Why do my emails go to spam due to DMARC, SPF, and DKIM alignment failures?
Matthew Whittaker
Co-founder & CTO, Suped
Published 21 Apr 2025
Updated 19 Aug 2025
7 min read
Sending emails seems straightforward until your messages start landing in the spam folder. Often, the culprit isn't obvious, especially when you think you've set up your email authentication correctly. I've seen countless cases where email marketers and businesses struggle with deliverability because their emails fail DMARC, SPF, and DKIM alignment checks.
This issue is particularly frustrating because SPF and DKIM might appear to pass independently, but DMARC (Domain-based Message Authentication, Reporting, and Conformance) introduces an additional layer of verification called alignment. When this alignment fails, even legitimate emails can be treated as suspicious, leading to poor inbox placement or outright rejection. Understanding how these protocols work together, especially regarding alignment, is crucial for maintaining good sender reputation and ensuring your emails reach their intended recipients.
Before diving into alignment, it's important to grasp the basics of SPF and DKIM. These are foundational email authentication protocols designed to prevent email spoofing and phishing.
Sender policy framework (SPF)
SPF allows domain owners to publish a TXT record in their Domain Name System (DNS) that lists all authorized mail servers permitted to send emails on behalf of their domain. When a receiving mail server gets an email, it checks the SPF record of the sending domain. If the email originates from an IP address not listed in the SPF record, it may be flagged as suspicious. A valid SPF setup is critical for establishing trust.
Domainkeys identified mail (DKIM)
DKIM adds a digital signature to outgoing emails, providing a way for recipients to verify that the email was sent by the domain owner and that the content hasn't been tampered with in transit. The DKIM signature is generated using a private key and verified by the recipient's server using a public key published in your domain's DNS as another TXT record. If the signature fails verification, it's a strong indicator of spoofing or tampering, which can lead to emails being sent to the spam folder. Proper configuration of these records is a prerequisite for strong email deliverability.
DMARC and the alignment mandate
DMARC leverages SPF and DKIM to determine if an email is legitimate. Its primary function is to enforce sender policies and provide reporting on email authentication failures. However, for DMARC to pass, not only must SPF or DKIM pass, but they must also be aligned with the domain in the email's visible From: header. This alignment requirement is often where deliverability issues arise.
DMARC alignment explained
Alignment means that the domain used for SPF or DKIM authentication must match, or be a subdomain of, the domain in the visible From: header. DMARC offers two types of alignment: relaxed and strict.
Relaxed alignment
SPF: The SPF-authenticated domain (usually the Return-Path or Mail From domain) can be the same as, or a subdomain of, the From: header domain.
DKIM: The DKIM signing domain can be the same as, or a subdomain of, the From: header domain.
Strict alignment
SPF: The SPF-authenticated domain must be identical to the From: header domain.
DKIM: The DKIM signing domain must be identical to the From: header domain.
Why alignment fails and emails go to spam
Even with SPF and DKIM records in place, alignment failures are common. These failures often lead to emails being quarantined or sent to the spam folder, even by major providers like Google and Yahoo. Here are some of the most frequent causes:
Email service providers (ESPs)
Many ESPs, by default, send emails using their own sending domains for SPF or DKIM, rather than your domain. For instance, an ESP might send an email with your From: address as you@yourdomain.com, but the actual SPF authentication occurs on esp.com. This creates a misalignment, leading to DMARC failure. To correct this, you generally need to set up custom sending domains or dedicated IP addresses within your ESP that align with your From: domain.
Email forwarding
Email forwarding is another common culprit. When an email is forwarded, the Return-Path (which SPF checks) often changes to the forwarding server's domain. This breaks SPF alignment. While DKIM is more resilient to forwarding, it can also sometimes be invalidated if the forwarding server modifies the email body. This is a tricky scenario because it's often outside your direct control, but understanding it helps in diagnosing DMARC failures.
Misconfigured DNS records
Simple typos or incorrect values in your DNS records for SPF, DKIM, or DMARC can cause authentication failures. For example, an SPF record that doesn't include all authorized sending IPs, or a DKIM record with an invalid public key, will lead to problems. It's also possible to have a DMARC policy (p=quarantine or p=reject) set too strictly before all your legitimate sending sources are properly authenticated and aligned. For more details on how DMARC works, you can check the DMARC.org FAQ.
Troubleshooting common alignment issues
Troubleshooting DMARC, SPF, and DKIM alignment failures requires a systematic approach. The goal is to ensure that your email authentication protocols are correctly configured and, more importantly, that they align with your visible From: domain.
Check your DMARC reports
DMARC reports (RUA and RUF) provide invaluable insights into your email authentication status, showing which emails are passing or failing and why. Analyze these reports to identify misconfigurations or unauthorized sending sources. Regularly reviewing these reports is essential for maintaining email deliverability. If you're looking to understand these reports better, our guide on troubleshooting DMARC reports from Google and Yahoo can be very helpful.
Verify SPF and DKIM configuration and alignment
Verify SPF record
Ensure your SPF record is accurate and includes all legitimate sending IP addresses and third-party services (ESPs) authorized to send email on your behalf. Check for the common mistake of having multiple SPF records or exceeding the 10 DNS lookup limit.
Ensure your DKIM signatures are properly generated and attached to your emails. Verify that the public key published in your DNS matches the private key used by your sending server or ESP. Pay close attention to the DKIM selector and domain used for signing to ensure it aligns with your From: header domain. For more help, Google's DMARC troubleshooting guide is a valuable resource.
The path to inbox success
DMARC, SPF, and DKIM alignment failures are a primary reason why legitimate emails end up in spam. By understanding the nuances of alignment and diligently monitoring your email authentication, you can significantly improve your email deliverability. It's a continuous process that requires attention to detail and ongoing adjustments, especially as your sending infrastructure or third-party services evolve.
Prioritize proper setup with any ESPs you use, ensure your DNS records are flawless, and use DMARC reports to guide your improvements. Mastering these authentication protocols is non-negotiable for anyone serious about email marketing and communication.
Views from the trenches
Best practices
Always align your DKIM signing domain with your visible From: header domain for best DMARC results.
Utilize custom return paths or custom sending domains within your ESP to ensure SPF alignment.
Start with a DMARC policy of `p=none` to monitor authentication results before moving to `p=quarantine` or `p=reject`.
Regularly review DMARC aggregate and forensic reports to identify authentication failures and unauthorized sending sources.
Common pitfalls
Publishing a DMARC policy of `p=quarantine` or `p=reject` without ensuring all legitimate mail streams pass alignment, leading to emails being spammed or rejected.
Ignoring email forwarding scenarios, which can break SPF alignment and cause DMARC failures.
Incorrectly configuring SPF or DKIM DNS records, such as typos, missing entries, or exceeding DNS lookup limits.
Not having tight control over all email sending sources within an organization, leading to unauthenticated or misaligned emails.
Expert tips
If using an ESP, configure custom domain authentication (white-labeling or branded sending) to ensure SPF and DKIM alignment.
When troubleshooting, check the raw email headers to see the `From:` domain, `Return-Path` domain, and DKIM signing domain.
Implement DMARC gradually, starting with `p=none` to gather data, then moving to stricter policies as you achieve full authentication coverage and alignment.
Be aware that some legacy systems or niche third-party senders may not support full DMARC alignment, requiring careful consideration of your policy.
Expert view
Expert from Email Geeks says publishing DMARC with p=quarantine without having authentication in place will lead to problems.
2019-09-18 - Email Geeks
Expert view
Expert from Email Geeks says mail sent from multiple different domains or those where domains are not aligned, will cause DMARC to fail and the message to be quarantined or junked.
Google and Yahoo. Here are some of the most frequent causes:
