Why does Google Postmaster Tools show lower DMARC percentage despite SPF and DKIM alignment being 100%?
Michael Ko
Co-founder & CEO, Suped
Published 23 Apr 2025
Updated 19 Aug 2025
6 min read
It can be perplexing to see your Google Postmaster Tools (GPT) dashboard report 100% success for SPF and DKIM, yet your DMARC percentage lags significantly behind. This scenario often leads to confusion, as it appears all your email authentication checks are passing.
The key to understanding this discrepancy lies in distinguishing between authentication passing and authentication alignment, a crucial concept for DMARC. While SPF and DKIM might be technically valid for a given message, DMARC requires that the domains used for these authentications align with your email's From: header domain.
Google Postmaster Tools presents authentication metrics based on whether SPF and DKIM records simply pass the authentication checks for the domain registered in GPT. This means it tracks the percentage of mail that successfully authenticates via SPF or DKIM, regardless of which domain performed the authentication. For example, if you send email through a third-party Email Service Provider (ESP), SPF might pass for the ESP’s domain, and DKIM might pass for their signing domain.
However, DMARC's calculation is different. As stated in Google's Postmaster Tools documentation, the DMARC graph shows the percentage of mail that passed DMARC alignment, not just general SPF or DKIM authentication. This means for DMARC to pass, either the SPF-authenticated domain or the DKIM-signed domain must also align with the domain in your email's From: header. If this alignment doesn't occur, even with SPF and DKIM passing authentication, the DMARC check will fail.
This distinction is often the root cause of the perceived discrepancy in GPT. The 100% SPF and DKIM rates indicate that those authentication mechanisms are technically sound, but the lower DMARC rate highlights that not all those emails are correctly aligning with your primary domain.
The critical role of DMARC alignment
DMARC alignment is the process where the domain in the From: header (the domain your recipients see) matches either the SPF-authenticated domain or the DKIM-signed domain. This alignment can be either relaxed (subdomain matches root domain) or strict (exact domain match).
Even if your SPF record correctly authorizes a sending IP, or your DKIM signature is cryptographically valid, DMARC will only pass if the domain used for that authentication also aligns with your organizational domain in the From: header. This is a crucial distinction and often overlooked when setting up email authentication.
SPF alignment
Mechanism: The domain in the email's From: header must match the Return-Path (or Mail From) domain that passed SPF.
Impact on DMARC: If the Return-Path domain belongs to a third party, SPF may pass, but alignment will fail if it does not match your From: header domain.
DKIM alignment
Mechanism: The domain specified in the DKIM d= tag of the signature must match the domain in the From: header.
Impact on DMARC: Even if a DKIM signature is valid, if it's signed by a domain that doesn't align with your From: header, DMARC will consider it a fail. This often happens with shared ESP sending domains.
Several factors can cause your SPF and DKIM to pass authentication while DMARC fails due to alignment issues.
Email forwarding: When an email is forwarded, the Return-Path often changes to the forwarding server's domain. This can cause SPF to fail alignment, even if the original SPF passed. DKIM signatures can also be invalidated during forwarding, leading to DKIM alignment failures. This is a very common reason for a lower DMARC percentage.
Third-party sending services: Many ESPs (like Mailchimp, by default) send emails on your behalf, but they may use their own domain in the Return-Path or DKIM d= tag, rather than your domain. This leads to an authentication pass, but an alignment failure. This is often described as SPF passing in headers but not Google Postmaster Tools.
DNS issues: Transient DNS failures or misconfigurations can also lead to intermittent DMARC alignment failures, even if your SPF and DKIM records are generally correct.
Beware of unaligned third-party sends
When using third-party services to send emails, always ensure they support custom Return-Path domains (for SPF alignment) and allow you to sign emails with your own domain (for DKIM alignment). Without this, your DMARC compliance will suffer, regardless of your SPF and DKIM authentication rates.
Leveraging DMARC reports for precise troubleshooting
While Google Postmaster Tools offers a helpful overview, it does not provide the granular detail needed to pinpoint specific DMARC failures. For that, you need DMARC aggregate (RUA) reports. These reports are XML files sent to the email address specified in your DMARC record, offering comprehensive data on email authentication and alignment. You can find more about this in our ultimate guide to Google Postmaster Tools.
Analyzing DMARC reports will show you exactly which sources are sending mail on your behalf, whether that mail is passing SPF and DKIM, and critically, whether it's achieving DMARC alignment. Look for disposition=none or disposition=fail entries where SPF or DKIM may pass but alignment is absent. This level of detail is unavailable directly within GPT. Our guide on understanding and troubleshooting DMARC reports offers more insights.
If you currently don't have a DMARC reporting solution, setting one up is the most crucial step to gain visibility into these alignment failures. This allows you to identify rogue senders or misconfigurations causing your DMARC percentage to be lower than your SPF and DKIM authentication rates. Consider using our free DMARC record generator tool to get started.
Views from the trenches
Best practices
Always implement DMARC with 'p=none' initially to gather data before enforcing a policy.
Use a DMARC reporting tool to analyze RUA reports for detailed insights into your email streams.
Ensure all legitimate sending sources (ESPs, transactional email services) align SPF and DKIM with your 'From:' domain.
Common pitfalls
Misinterpreting 100% SPF/DKIM pass rates in GPT as full DMARC compliance.
Not configuring third-party senders for SPF and DKIM alignment with your primary domain.
Ignoring DMARC aggregate reports, which contain critical troubleshooting data.
Expert tips
Use forensic (RUF) reports in conjunction with aggregate reports for deep dives into specific failures.
Implement subdomains for different sending purposes to isolate potential issues and simplify troubleshooting.
Leverage the DMARC 'sp' tag (subdomain policy) to manage alignment for subdomains effectively.
Expert view
Expert from Email Geeks says that DMARC failures can occur due to unaligned SPF and DKIM, even if authentication passes. These failures are included in DMARC reporting, which should be the primary source for troubleshooting.
Jan 16, 2020 - Email Geeks
Marketer view
Marketer from Email Geeks says that email forwarding is a common reason for DMARC failures, as it can break DKIM and replace SPF, even if the initial authentication passes.
Jan 16, 2020 - Email Geeks
Key takeaways
The disparity between 100% SPF/DKIM authentication in Google Postmaster Tools and a lower DMARC percentage is a common point of confusion. It fundamentally comes down to the difference between authentication success and domain alignment.
While GPT provides valuable insights into your domain's authentication health, DMARC reports are the authoritative source for diagnosing alignment issues. By diligently monitoring and analyzing these reports, you can identify the exact causes of DMARC failures and take corrective action to improve your email deliverability and strengthen your domain's reputation.
Mailchimp, by default) send emails on your behalf, but they may use their own domain in the Return-Path or DKIM d= tag, rather than your domain. This leads to an authentication pass, but an alignment failure. This is often described as SPF passing in headers but not Google Postmaster Tools.
