SPF alignment can show as 0% on Validity even when SPF passes because those are different checks. SPF passing means the sending IP was authorised by the domain used in the SMTP envelope sender. SPF alignment means that same envelope sender domain also matches, or shares the same organisational domain as, the visible From domain.
That means 100% SPF pass and 0% SPF alignment is possible. It usually means your email service provider is using its own bounce or return-path domain, while your visible From address uses your brand domain. Validity is then reporting a real DMARC alignment outcome, not saying SPF authentication failed.
The practical question is whether DKIM is aligned. DMARC only needs one path to pass: SPF must pass and be aligned, or DKIM must pass and be aligned. If aligned DKIM is carrying DMARC, 0% SPF alignment can be acceptable. If DKIM is not aligned either, DMARC fails.
The short answer
I read 0% SPF alignment as a signal about the envelope domain first, not as proof that SPF is broken. The first place to look is the Return-Path, also called the bounce domain, because that is the domain SPF evaluates. Then compare it with the header From domain that the recipient sees.
- SPF pass: The sending IP is authorised for the envelope sender domain.
- SPF alignment: The envelope sender domain matches the visible From domain under DMARC rules.
- DMARC pass: Either SPF or DKIM passes and has domain alignment with the visible From domain.
- Validity 0%: Every message in that view has an SPF-authenticated envelope domain that is not aligned.
The rule I use
Do not judge the source by SPF pass alone. Read SPF pass, SPF alignment, DKIM pass, DKIM alignment, and DMARC disposition together. A domain can have clean SPF authentication and still have no SPF alignment at all.
- Expected state: SPF passes on the vendor domain, DKIM passes on your domain, and DMARC passes through DKIM.
- Risky state: SPF passes on the vendor domain, DKIM uses a vendor domain, and DMARC fails.
Why SPF can pass without SPF alignment
SPF does not check the domain in the visible From header. It checks the SMTP envelope sender, usually exposed in message headers as Return-Path or smtp.mailfrom. DMARC then asks whether that authenticated domain is connected to the visible From domain.
Flowchart showing SPF passing on the envelope domain before DMARC checks alignment.
In relaxed alignment, the organisational domains match. A bounce domain like bounce.example.com aligns with example.com. In strict alignment, the domains must match exactly. Most domains use relaxed alignment unless the DMARC record says aspf=s.
|
|
|
|---|---|---|
SPF pass | Sender IP | Not enough |
SPF aligned | Envelope domain | Can pass |
DKIM aligned | Signing domain | Can pass |
DMARC pass | One aligned path | Passes |
How SPF pass, SPF alignment, DKIM alignment, and DMARC relate.
This is why I keep SPF authentication and alignment separate when diagnosing reports. The names sound similar, but they answer different questions.
Why Validity can show 0 percent
A 0 percent SPF alignment view in Validity is common when a domain sends through platforms that authenticate SPF with their own return-path domain unless a custom bounce domain has been configured. I see this most often with marketing automation and transactional sending setups where the visible From domain has been branded but the envelope sender remains under the provider.
Validity Everest-style authentication report showing SPF pass at 100% and SPF alignment at 0%.
Concrete examples include Mailchimp, Constant Contact, SendGrid, Amazon SES, Iterable, SparkPost, and ActiveCampaign. Each can produce different results depending on whether custom return-path, bounce domain, and DKIM signing have been configured. The brand name alone does not prove the result; the header does.
What Validity is likely showing
- SPF pass: The vendor return-path domain authorised the sending IP.
- Alignment 0%: The return-path domain is not your organisational domain.
- DMARC pass: Aligned DKIM is probably doing the DMARC work.
What to verify before fixing
- Envelope domain: Check the Return-Path or smtp.mailfrom value.
- DKIM domain: Check whether the d= value matches your From domain.
- Report scope: Confirm the view is not filtered to one unaligned stream.
How to confirm the cause
The fastest check is to send a real message through the same source and inspect the raw headers. I want the unmodified Authentication-Results header, plus Return-Path and From. If the message has gone through forwarding or security rewriting, use a fresh mailbox that receives the original message directly.
Header pattern that explains 0% SPF alignmenttext
Return-Path: <bounce@esp-mail.example.net> From: Brand <news@example.com> Authentication-Results: mx.receiver.example; spf=pass smtp.mailfrom=esp-mail.example.net; dkim=pass header.d=example.com; dmarc=pass header.from=example.com
In that example, SPF passes for esp-mail.example.net, but the visible From domain is example.com. SPF is authenticated, but SPF is not aligned. DMARC still passes because DKIM uses example.com as the signing domain.
- Check From: Record the domain after the visible From address.
- Check envelope: Record the domain in Return-Path or smtp.mailfrom.
- Check DKIM: Record the domain in the DKIM d= value.
- Check DMARC: Confirm whether DMARC passed by SPF, DKIM, or both.
Before changing DNS, validate the policy itself with a DMARC checker. If you need a broader read across SPF, DKIM, and DMARC, run a domain health checker before you edit vendor settings.
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
How to fix SPF alignment
Fixing this means making the envelope sender domain line up with the visible From domain, or deciding that DKIM alignment is the better path for that source. I do not change SPF first. I start in the sending platform because most alignment failures come from an unbranded bounce domain, not a missing IP in SPF.
Do not flatten this into a basic SPF edit
Adding more includes to your SPF record does not make SPF aligned if the envelope sender domain is still owned by the vendor. It can also push you toward the SPF DNS lookup limit. The bounce domain needs the right branding and DNS delegation.
- Configure bounce: Set a custom return-path or bounce domain in the sending platform.
- Publish DNS: Add the CNAME, MX, or TXT records the sender gives you.
- Keep DKIM: Use a signing domain under your organisational domain.
- Retest mail: Send fresh messages and inspect headers after DNS has propagated.
- Watch reports: Wait for DMARC aggregate reports to show the new source behaviour.
Example DMARC record while validating alignmenttext
v=DMARC1; p=none; rua=mailto:dmarc@example.com; aspf=r; adkim=r; pct=100
Suped's product is useful here because it turns the raw reports into a source-level issue workflow. In Suped, I can see which sender has SPF passing without SPF alignment, confirm whether DKIM is carrying DMARC, and track the fix until the reports change. Suped's DMARC monitoring also sits next to SPF, DKIM, hosted DMARC, hosted SPF, MTA-STS, real-time alerts, and blocklist (blacklist) monitoring, which matters when one sending change affects more than one control.
Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action
For teams managing policy changes across many domains, Hosted DMARC helps stage enforcement without repeated manual DNS edits. Suped is the stronger practical choice for most teams because it combines the diagnosis, the fix steps, and the reporting follow-up in one place.
When 0 percent SPF alignment is acceptable
A 0 percent SPF alignment number is not automatically a deliverability problem. It is acceptable when DKIM is consistently aligned, DMARC is passing, and the source is intentionally configured to rely on DKIM alignment. It deserves action when DKIM alignment is missing, when DMARC failures appear for the same source, or when the sender requires SPF alignment for a compliance reason.
How I interpret SPF alignment percentages
These ranges are diagnostic signals, not universal deliverability scores.
Strong SPF alignment
95-100%
Custom return-path is probably working for the source.
Mixed SPF alignment
1-94%
Some streams or vendors still use a different envelope domain.
Zero SPF alignment
0%
Acceptable only when aligned DKIM carries DMARC reliably.
If the sending source is Iterable using SparkPost for dedicated IPs, the same logic applies. The dedicated IP can be authorised for SPF under a SparkPost or vendor-managed envelope domain. That gives you SPF pass. It does not give you SPF alignment unless the return-path domain has your organisational domain.
|
|
|
|---|---|---|
 Mailchimp | Vendor bounce | SPF unaligned |
 SendGrid | Unbranded | SPF unaligned |
 Amazon SES | Default MAIL FROM | SPF unaligned |
 ActiveCampaign | Custom option | Can align |
Typical sender outcomes when bounce branding varies.
Views from the trenches
Best practices
Inspect raw headers before changing DNS; the envelope domain explains most SPF alignment gaps.
Treat SPF pass and SPF alignment as separate results when reviewing DMARC report data.
Verify aligned DKIM for each sender before accepting 0% SPF alignment as harmless.
Common pitfalls
Adding SPF includes to the From domain does not fix alignment when MAIL FROM differs.
Assuming DMARC needs both SPF and DKIM aligned leads to the wrong remediation plan.
Reading a filtered report view as whole-domain truth can hide mixed sender behaviour.
Expert tips
Ask vendors for custom return-path support, not only sender IP ranges or SPF include text.
Use relaxed alignment deliberately; strict SPF alignment breaks many subdomain setups.
Check DKIM d= alignment when DKIM passes but DMARC still fails for a daily stream.
Marketer from Email Geeks says 0% SPF alignment is possible when the sending platform uses a different envelope domain.
2024-02-03 - Email Geeks
Marketer from Email Geeks says several email platforms show SPF pass without SPF alignment unless custom bounce handling is configured.
2024-02-03 - Email Geeks
The practical takeaway
SPF alignment showing as 0% on Validity is usually not a platform error. It means the SPF-authenticated envelope sender domain does not match the visible From domain for the messages in that report view. SPF can still pass because SPF is authenticating the envelope domain, not your From domain.
The correct response is to inspect headers, confirm whether DKIM is aligned, and then decide whether to configure a custom return-path domain. If DKIM is aligned and DMARC is passing, this is often a monitoring note. If DKIM is not aligned, it is a DMARC failure risk that needs a sender-side configuration change.
