--- title: "What Is DMARC Alignment, And How Does It Work | DMARC Report" description: "What Is DMARC Alignment, And How Does It Work: DMARC alignment means the domain in the From header must match the domain that passed SPF or DKIM." image: "https://dmarcreport.com/og/blog/what-is-dmarc-alignment-and-how-does-it-work.png" canonical: "https://dmarcreport.com/blog/what-is-dmarc-alignment-and-how-does-it-work/" --- Quick Answer DMARC alignment means the domain in the \`From\` header must match the domain that passed SPF or DKIM authentication. Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fwhat-is-dmarc-alignment-and-how-does-it-work%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20Is%20DMARC%20Alignment%2C%20And%20How%20Does%20It%20Work&url=undefined%2Fblog%2Fwhat-is-dmarc-alignment-and-how-does-it-work%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fwhat-is-dmarc-alignment-and-how-does-it-work%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fwhat-is-dmarc-alignment-and-how-does-it-work%2F&title=What%20Is%20DMARC%20Alignment%2C%20And%20How%20Does%20It%20Work "Share on Reddit") [ ](mailto:?subject=What%20Is%20DMARC%20Alignment%2C%20And%20How%20Does%20It%20Work&body=Check out this article: undefined%2Fblog%2Fwhat-is-dmarc-alignment-and-how-does-it-work%2F "Share via Email") ![What Is DMARC Alignment, And How Does It Work](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) \*\*DMARC alignment means the domain in the `From` header must match the domain that passed SPF or DKIM authentication. Without alignment, an attacker can pass SPF with their own domain while spoofing yours in the visible `From` header. Alignment is defined in [RFC 7489 §3.1.2](https://datatracker.ietf.org/doc/html/rfc7489#section-3.1.2) and comes in two modes: relaxed (subdomains match the parent) and strict (exact match required). > DMARC is the only email authentication protocol that gives you both enforcement and visibility, says Brad Slavin, General Manager of DuoCircle. SPF and DKIM authenticate silently - DMARC tells you what happened and lets you control the outcome. That combination of reporting and policy is why DMARC adoption is accelerating. ## **What is DMARC Alignment?** ![Dmarc analyzer](https://media.mailhop.org/dmarcreport/images/2026/03/dmarc-analyzer-3978.jpg) [Email service providers](https://www.icontact.com/define/email-service-provider/) don’t just check the legitimacy of an email by verifying whether the sending domain is approved by the sender or whether the message has remained unchanged in transit. They go a step ahead and check whether those \*\*authentication results actually belong to the domain shown in the From address. DMARC is now required by [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) (US federal), [PCI DSS v4.0](https://www.pcisecuritystandards.org/) (payment processors), Google/Yahoo/Microsoft (bulk senders), and government agencies in the UK, Australia, and Canada. To do this, DMARC looks at three things: the domain in the From header, the domain used in the [Return-Path](https://emaillabs.io/en/what-is-return-path/) for SPF, and the domain used in the [DKIM signature](https://docs.mapp.com/docs/dkim-signature). If an email passes [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/) or DKIM using the same domain shown in the From address, the sender identity is considered consistent . When those domains don’t line up, it signals that the email may not actually be coming from the sender it claims to represent. ![Dmarc record generator](https://media.mailhop.org/dmarcreport/images/2026/03/dmarc-record-generator-6788.jpg) DMARC alignment helps **maintain this consistency**. It ensures that emails are not just technically authenticated, but also accurately represent who they are from. Once the ESPs are sure of the legitimacy of the email, they can decide how to handle it - whether the message should be delivered, filtered, or rejected. ## **How does DMARC alignment work?** When you send an email, your recipients don’t see what goes behind the scenes. They only see the one thing: who it’s from. That name or domain in the From address is what they trust. That’s exactly what **DMARC is meant to protect**. But this doesn’t mean that what happens behind the scenes automatically matches the domain in the From address\*\*. This is because an email can use different domains to send a message or sign it. When an email reaches the receiving server, it runs a few checks in the background. SPF looks at the Return-Path to see which domain actually sent the email, and [DKIM](https://dmarcreport.com/what-is-dkim/) checks which domain was used to sign the email to confirm that it wasn’t altered along the way. ![What is dmarc](https://media.mailhop.org/dmarcreport/images/2026/03/what-is-dmarc-3798.jpg) But there’s a problem here. Anyone, including [cybercriminals](https://incyber.org/en/article/united-states-amounts-stolen-by-cybercriminals-up-33/), can buy a domain and implement SPF and DKIM for it. This means that an attacker can easily send a [phishing email](https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html) with your \*\*company’s domain in the From address, while using their own domain for the Return-Path and DKIM. And since the Return-Path domain is not visible to the recipients, the email looks legitimate to them. _DMARC alignment addresses this problem by making sure the domain that sent or signed the email is the same domain shown in the From address_. So, after SPF and DKIM run, DMARC compares the domains they used with the From domain. If at least one of them matches, the email is considered aligned. If neither matches, DMARC treats the message as suspicious and applies the policy you’ve defined, such as \*\*quarantining or rejecting it. ## **Why is SPF and DKIM alignment important for sender identity?** ![Dmarc check](https://media.mailhop.org/dmarcreport/images/2026/03/dmarc-check-6499.jpg) As we have already established, \*\*passing authentication checks alone does not prove the authenticity of an email. SPF and DKIM confirm if the email is coming from an authorized source and if it was altered in transit, but that’s about it. To truly confirm the legitimacy of an incoming email, ESPs cannot rely on these checks alone, as they do not, by themselves, guarantee that the [authenticated domain](https://docs.customer.io/journeys/authentication/) is the same domain shown in the From address. Without alignment, an email can pass SPF and DKIM checks, yet be misleading about who sent it. Authentication identifier alignment helps close this gap by verifying whether the email sender is authorized to send messages on behalf of the domain visible to the recipients. For **mail service providers**, this alignment matters because it helps them distinguish [legitimate emails](https://www.usatoday.com/story/tech/2021/08/23/gmail-spam-filter-email-inbox-google/8242847002/) from malicious ones, even if they pass SPF and DKIM checks. ![Gmail dmarc](https://media.mailhop.org/dmarcreport/images/2026/03/gmail-dmarc-9228.jpg) If the incoming email is aligned, it is more likely to pass \*\*sender verification checks and be treated as trustworthy by the receiving server. If not, the ESPs perceive the message to be risky and might filter, quarantine, or reject it. On the surface, SPF and DKIM alignment sounds easier to achieve, but that’s not always the case, especially in complex [email ecosystems](https://www.axigen.com/articles/email-ecosystem%5F128.html). However, when you factor in [third-party email services](https://docs.acquia.com/acquia-cloud-platform/using-third-party-email-service), forwarding rules, and [legacy systems](https://www.techtarget.com/searchitoperations/definition/legacy-application), alignment can easily break. These systems may authenticate emails using their \*\*own domains or alter messages in transit, causing SPF or DKIM to pass even when they do to align with the visible From domain. ![Dmarc report](https://media.mailhop.org/dmarcreport/images/2026/03/dmarc-report-6677.jpg) ## \*\*To sum up Clearly, ensuring that your outgoing emails reach their recipients is no longer just about passing [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) checks. Sender identity and alignment matter just as much as technical authentication . This is where [DMARC](https://incyber.org/en/article/united-states-amounts-stolen-by-cybercriminals-up-33/) alignment comes in. It ensures that the domain recipients see is the same domain that actually sends and signs the email. _If you do not give this assurance to the receiving servers, they might treat even your legitimate emails as suspicious._ This is why it is important that you go beyond \*\*cursory authentication checks and ensure that authentication and identity are tightly linked together. Want to get started with DMARC alignment for your domain? [Get in touch with us](https://dmarcreport.com/contact/)! ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/) ![Vishal Lamba](https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg) [ Vishal Lamba ](/authors/vishal-lamba/) Content Specialist Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs. [LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"What Is DMARC Alignment, And How Does It Work","description":"What Is DMARC Alignment, And How Does It Work: DMARC alignment means the domain in the From header must match the domain that passed SPF or DKIM.","url":"https://dmarcreport.com/blog/what-is-dmarc-alignment-and-how-does-it-work/","datePublished":"2026-03-02T10:49:12.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-03-02T10:49:12.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://dmarcreport.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes DMARC Report's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF and DMARC errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/what-is-dmarc-alignment-and-how-does-it-work/"},"articleSection":"foundational","keywords":"dkim, DMARC, SPF","wordCount":1378,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"What Is DMARC Alignment, And How Does It Work","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"What Is DMARC Alignment, And How Does It Work","item":"https://dmarcreport.com/blog/what-is-dmarc-alignment-and-how-does-it-work/"}]} ```