DMARC Failing? How to Fix DMARC Alignment Issues (2026)

Zeeshan Waheed
11 min read
Cold Email Infrastructure

You set up DMARC. Your DNS shows it's there.

But your emails are still bouncing or going to spam. Email authentication check shows "DMARC alignment failed."

DMARC alignment failure is a silent killer. You can have everything else right and still fail if DMARC/SPF/DKIM aren't aligned.

This post walks you through what alignment means, why it fails, and how to fix it.

What Is DMARC (And Why It Matters for Cold Email)

DMARC = Domain-based Message Authentication, Reporting & Conformance.

It's a policy that says: "I own this domain. If an email claims to be from my domain but I didn't send it, here's what you should do with it."

Why ISPs care:

  • Without DMARC: Anyone can send emails claiming to be from your domain (spoofing)
  • With DMARC: Only authenticated emails pass (SPF/DKIM pass and align with domain)
  • ISPs check DMARC before deciding if email is legitimate

DMARC failure = Email gets rejected or marked suspicious = Spam folder or bounce

DMARC Alignment Explained

DMARC alignment means:

  1. Email must pass SPF check (IP is authorized)
  2. Email must pass DKIM check (signature is valid)
  3. And: Both SPF and DKIM must show the same domain as the sender

Example of alignment:

Email claims to be from: john@yourdomain.com

SPF check: yourdomain.com says "my server at IP 203.0.113.5 can send for me" → PASS

DKIM check: yourdomain.com's DKIM signature validates → PASS

Alignment: Both SPF and DKIM show "yourdomain.com" → ALIGN

Result: DMARC passes. ISP trusts email. Goes to inbox.

Email claims to be from: john@yourdomain.com

SPF check: mail.sendingservice.com says "my server at IP 203.0.113.5 can send for yourdomain.com" → PASS

DKIM check: mail.sendingservice.com's DKIM signature validates → PASS

Alignment: SPF shows sendingservice.com, DKIM shows sendingservice.com, but email is from yourdomain.com → MISALIGN

Result: DMARC fails. ISP treats as suspicious. Spam folder or bounce.

This is the common case. Your ESP's server is sending, but alignment fails.

The 3 Requirements for DMARC to Pass

Requirement 1: SPF Record Must Exist and Authenticate Your Server

SPF (Sender Policy Framework) tells ISPs which servers can send from your domain.

Check SPF:

  1. Go to mxtoolbox.com
  2. Click "SPF Record"
  3. Enter your domain
  4. Check result

What you should see:

  • Green: "Pass" - SPF record exists and is valid
  • Red: "Fail," "Error," or "None found" - SPF is broken

If SPF shows red:

You need to add an SPF record to your DNS.

  1. Log into your domain registrar (GoDaddy, Namecheap, Bluehost, etc)
  2. Find DNS/DNS Records section
  3. Add a TXT record with this value: v=spf1 include:sendingservice.com ~all
  • Replace "sendingservice.com" with your actual email service (instantly.ai, smartlead.ai, your mail server, etc)
  • If you have multiple services, add multiple includes: v=spf1 include:service1.com include:service2.com ~all
  1. Save and wait 24-48 hours for DNS to propagate
  2. Re-check at mxtoolbox.com (should now show "Pass")

Common SPF issue: Too many includes (over 10 lookups)

If you use 3+ email services, SPF can break due to DNS lookup limits.

Example: You use HubSpot, Mailchimp, SendGrid, ActiveCampaign, and your email provider.

SPF record: v=spf1 include:sendgrid include:hubspot include:mailchimp include:activecampaign include:your-mail-server ~all

That's 5 includes. Each include = 1 DNS lookup. But SPF has a limit: 10 lookups maximum.

If you hit 10+, ISPs reject the entire SPF record.

The fix for too many SPF includes:

Use SPF flattening. Instead of includes, you list IPs directly.

This is complex, so contact your domain host and say: "My SPF record has too many includes. Can you flatten it?"

They'll convert: include:sendgrid → the actual IP addresses SendGrid uses, removing the include.

Requirement 2: DKIM Record Must Exist and Validate Email Signature

DKIM (DomainKeys Identified Mail) is a cryptographic signature proving the email is legitimate.

Your email service generates a public key that goes in DNS. When they send emails, they sign them with a private key. ISPs validate the signature using the public key.

Check DKIM:

  1. Go to mxtoolbox.com
  2. Click "DKIM Record"
  3. Enter your domain
  4. Check result

What you should see:

  • Green: DKIM record found with a long public key
  • Red: "Error" or "None found" - DKIM missing

If DKIM shows red:

  1. Log into your email service (Instantly, SmartLead, SendGrid, etc)
  2. Find DKIM setup instructions (usually under "Domain Configuration" or "Email Authentication")
  3. Copy the DKIM public key they provide
  4. Log into your domain registrar
  5. Find DNS/DNS Records section
  6. Add a TXT record called "default._domainkey" (or whatever your service specifies)
  7. Paste the public key value
  8. Save and wait 24-48 hours
  9. Re-check at mxtoolbox.com (should show "Pass")

Common DKIM issue: Using wrong selector

Different email services use different DKIM selectors. If you configure it wrong, the selector name won't match.

Example: You add DKIM record at "selector1._domainkey" but your service is looking for "default._domainkey."

DKIM check won't find it because it's looking in the wrong place.

The fix:

  1. Ask your email service: "What's the exact DKIM selector you use?" (Usually it's "default" or "selector1" or "sm" or something)
  2. Add the record under that exact name
  3. Re-check

Requirement 3: SPF and DKIM Must Align with Your Sending Domain

This is where most people mess up.

SPF and DKIM can both pass, but if they don't align with your domain, DMARC fails.

What alignment means:

SPF alignment: The domain in the SPF "from" address matches your sending domain.

Example:

  • Email from: john@yourdomain.com
  • SPF says: yourdomain.com authorized our server
  • Alignment: YES (both reference yourdomain.com)

vs

  • Email from: john@yourdomain.com
  • SPF says: mail.sendingservice.com authorized this server (but only for sendingservice.com, not yourdomain.com)
  • Alignment: NO (SPF authorizes sendingservice.com, email is from yourdomain.com)

DKIM alignment:

DKIM signature is signed by yourdomain.com's private key.

  • Email from: john@yourdomain.com
  • DKIM signature: Signed with yourdomain.com's private key
  • Alignment: YES

vs

  • Email from: john@yourdomain.com
  • DKIM signature: Signed with mail.sendingservice.com's private key
  • Alignment: NO

The fix for alignment:

For SPF alignment:

  • Your SPF record must include your domain: v=spf1 include:yourdomain.com ...
  • Or: Configure your email service to send "from yourdomain.com" not from their domain
  • Most ESP allow this in settings (check your sending domain configuration)

For DKIM alignment:

  • Your DKIM record must be under yourdomain.com
  • And your email service must sign with yourdomain.com's key
  • This is automatic if DKIM is set up correctly

DMARC Record Setup (Final Step)

After SPF and DKIM are working, add DMARC policy.

What DMARC policy does:

  • Tells ISPs what to do if alignment fails
  • Options: Quarantine (spam folder), Reject (bounce), or Monitor (no action, just report)

Set up DMARC:

  1. Go to your domain registrar
  2. Find DNS/DNS Records
  3. Add TXT record called "_dmarc"
  4. Use this value (for monitoring/testing):

v=DMARC1; p=quarantine; rua=mailto:your-email@yourdomain.com; ruf=mailto:your-email@yourdomain.com; fo=1

What each part means:

  • v=DMARC1 - DMARC version
  • p=quarantine - Policy: quarantine (spam folder) if alignment fails. Use this for testing. After 1 week, you can change to p=reject (bounce)
  • rua=mailto: - Email address to send aggregate reports to (tells you if alignment passes/fails)
  • ruf=mailto: - Email address to send forensic reports to (details on failures)
  • fo=1 - Report on all failures
  1. Save
  2. Wait 24 hours for DNS to propagate
  3. Check at mxtoolbox.com: Should show your DMARC record in green

The Complete DMARC/SPF/DKIM Checklist

Run through this to fix alignment:

  1. SPF Record:
  • Check at mxtoolbox.com SPF Record tool
  • Should show green "Pass"
  • If red: Add SPF record to your domain DNS
  • If too many includes: Ask your domain host to flatten
  1. DKIM Record:
  • Check at mxtoolbox.com DKIM Record tool
  • Should show green with a long public key
  • If red: Get DKIM from your email service, add to domain DNS
  • Verify exact selector name matches
  1. DMARC Record:
  • Check at mxtoolbox.com DMARC Record tool
  • Should show green
  • If not: Add DMARC TXT record to DNS (see above)
  1. Alignment Test:
  • Send test email to yourself
  • Check email headers (Gmail: ⋮ → Show original)
  • Look for: "SPF: pass" and "DKIM: pass" and "DMARC: pass"
  • If all 3 show "pass": Alignment is correct
  1. Policy Test:
  • Start with p=quarantine for 1-2 weeks
  • Check DMARC reports: Do they show alignment passing?
  • If mostly passing: Upgrade to p=reject (stricter, bounces failures)
  • If many failures: Debug alignment issues first, don't set to reject

Real Example: DMARC Fix at Enterprise Scale

One SaaS client had 5 domains and 100+ sending IP addresses.

Situation:

  • Emails bouncing: 8-10% bounce rate despite good list
  • DNS check showed SPF misaligned
  • DKIM was missing on some domains
  • DMARC policy was set to reject without full alignment

What we fixed:

  1. Fixed SPF on all 5 domains (some had old/broken records)
  2. Added DKIM to 3 domains that were missing it
  3. Verified alignment on all domains
  4. Set DMARC to quarantine temporarily, monitored reports for 1 week
  5. Once passing consistently, upgraded to reject

Results:

  • Bounce rate: 8-10% → 2-3%
  • Inbox placement: 60% → 80%
  • Reply rate: 0.8% → 2.2% (just from deliverability improvement)

Total time to fix: 4 hours of work across 5 domains.

Troubleshooting: When Alignment Still Fails

If you've done all above and alignment still fails:

Check email headers:

  1. Send test email to yourself
  2. Open it
  3. Click ⋮ (three dots)
  4. Select "Show original"
  5. Search for "SPF" and "DKIM" and "DMARC"
  6. Look at each result:
  • SPF: pass or fail?
  • DKIM: pass or fail?
  • DMARC: pass or fail?

If SPF shows fail:

  • Your email service's IP is not in SPF record
  • Contact your email service: "What IP do I add to SPF?"
  • Add that IP to SPF record

If DKIM shows fail:

  • DKIM record is wrong or missing
  • Re-check DKIM setup
  • Verify selector name is exact

If DMARC shows fail but SPF and DKIM pass:

  • This is rare
  • Usually indicates domain mismatch (email from yourdomain.com but SPF is for subdomain.yourdomain.com)
  • Check that all 3 are consistent

If all pass but emails still bounce:

  • DMARC is working, different problem
  • Check: Blacklist status, IP reputation, email content
  • See other posts in this series

FAQ

Q: Do I need DMARC to send cold email?

A: SPF and DKIM, yes (non-negotiable). DMARC, no (but highly recommended). ISPs trust SPF/DKIM, less critical on DMARC.

Q: Can I use a subdomain for DMARC/SPF/DKIM?

A: Yes. mail.yourdomain.com can have its own SPF/DKIM/DMARC. But generally, use your primary domain for cold email.

Q: How long after fixing does DMARC alignment work?

A: 24-48 hours for DNS propagation. After that, emails should authenticate immediately.

Q: Should I set DMARC to reject or quarantine?

A: Start with quarantine. Test for 1 week. Check reports. If alignment is passing 95%+, upgrade to reject.

Q: What if I have multiple email services sending from same domain?

A: All must be listed in SPF. If too many, use SPF flattening. Alternatively, use different subdomains (mail1.yourdomain.com, mail2.yourdomain.com) and set up separate SPF for each.

Q: Do I need separate DKIM for each email service?

A: Each service has its own DKIM key. Add all of them to your domain DNS under different selectors (selector1, selector2, etc) or ask them which selector to use.

Next Steps

  1. Check DNS right now at mxtoolbox.com:
  • SPF Record check
  • DKIM Record check
  • DMARC Record check
  1. If any show red: Fix that one (15-30 minutes per issue)
  2. Add missing records to domain DNS
  3. Wait 24-48 hours for propagation
  4. Re-check all three (should show green)
  5. Send test email, check headers for "pass" on all three
  6. If all pass, emails should stop bouncing and improve deliverability significantly

If you have multiple domains or complex infrastructure, professional setup makes sense.

Check our packages: https://imisofts.com/cold-email-marketing#packages

Read next: SPF Record Too Many Lookups | Cold Email Deliverability | DNS Setup

Frequently Asked Questions

SPF and DKIM, yes (non-negotiable). DMARC, no (but highly recommended). ISPs trust SPF/DKIM, less critical on DMARC.
Yes. mail.yourdomain.com can have its own SPF/DKIM/DMARC. But generally, use your primary domain for cold email.
24-48 hours for DNS propagation. After that, emails should authenticate immediately.
Start with quarantine. Test for 1 week. Check reports. If alignment is passing 95%+, upgrade to reject.
All must be listed in SPF. If too many, use SPF flattening. Alternatively, use different subdomains (mail1.yourdomain.com, mail2.yourdomain.com) and set up separate SPF for each.

Ready to scale your cold email infrastructure?

See our packages and get started with a system built for deliverability.

View Our Packages