DNS & Auth 7 min read

How to Check DMARC Alignment for Cold Email Domains

DMARC can fail even when SPF and DKIM both pass individually. Here's how alignment works and how to verify it end-to-end.

You're not sure whether your DMARC alignment is correct. You have DMARC set up and it shows some kind of status in email headers, but you want to verify that alignment is actually working the way it needs to for your cold email infrastructure.

Why This Matters

DMARC alignment is the mechanism that connects your From header domain to either your SPF domain or your DKIM domain. Without alignment, DMARC can fail even if SPF and DKIM both pass individually. For direct cold email, the domain in the sender's From header must align with either the SPF domain or the DKIM domain to pass DMARC alignment.

Alignment issues are one of the most common hidden causes of deliverability problems. Everything looks like it works in isolation but DMARC fails because the pieces don't connect to each other properly.

How DMARC Alignment Works

SPF alignment: The domain in the envelope sender (Return-Path or MAIL FROM) must match the domain in the From header. "Match" can mean exact match (strict alignment) or organizational domain match (relaxed alignment, which is the default).

DKIM alignment: The domain in the DKIM signature's d= tag must match the domain in the From header. Same strict vs relaxed alignment rules apply.

DMARC passes if either SPF alignment or DKIM alignment passes. Having both aligned is ideal.

Step-by-Step Verification

Send a test email from your cold email inbox to a personal Gmail account you control. Open the email in Gmail → click the three dots → "Show original."

Look for the Authentication-Results header showing something like:

spf=pass ... domain matching your envelope sender
dkim=pass ... d= matching your signing domain
dmarc=pass

Check the SPF domain (the Return-Path or envelope sender domain) and compare it to your From header domain. If they match at the organizational domain level (same root domain, subdomains count), SPF alignment passes.

Check the DKIM d= value and compare it to your From header domain. If they match at the organizational domain level, DKIM alignment passes.

If DMARC shows FAIL in the headers despite SPF and DKIM passing individually, alignment is broken. Use the DMARC lookup to check your policy settings and alignment modes.

Common Alignment Problems

Your outreach tool sends email using its own envelope sender domain, not yours. The From header shows your domain, but the Return-Path is something like bounce@outreachtool.com. SPF passes for the outreach tool's domain, but alignment with your From domain fails.

Your DKIM signature uses the outreach tool's domain in the d= tag rather than your domain. DKIM passes for their domain, but alignment with your From domain fails.

You're using a subdomain in your From address but your SPF and DKIM are set up for the root domain. Relaxed alignment usually handles this, but strict alignment would fail.

The Fix Path

Configure your outreach tool to use your domain as the envelope sender. This often involves adding DNS records that let the tool send on behalf of your domain.

Configure your outreach tool to sign with your domain's DKIM key. Most tools support custom DKIM signing.

Use relaxed alignment in your DMARC record (aspf=r; adkim=r). This is the default and allows subdomains to align with the organizational domain.

Test after every change by sending to a Gmail account and checking the original message headers. Run the placement test to confirm end-to-end alignment results.

When to Replace Instead of Repair

Alignment issues are always repairable through DNS and outreach tool configuration. You never need to replace infrastructure just because of alignment problems. Fix the configuration and alignment starts passing immediately (after DNS propagation).

Mistakes That Make This Worse

  • Not verifying alignment after setting up a new outreach tool
  • Assuming that SPF and DKIM passing means DMARC passes
  • Using strict alignment when relaxed would solve the problem
  • Setting up DMARC with p=reject before verifying alignment, which causes legitimate emails to be rejected

Run the checks first

Before replacing anything, run a free inbox placement test. You might find the issue is DNS, not the domain — and save yourself a week of unnecessary work.

Free inbox placement test Check burn score

More guides

SPF, DKIM, and DMARC for Cold Email: The Simple Fix GuideHow to Check if a DNS Error Is Killing Your DeliverabilityCold Email Setup Checklist: Domain, DNS, Tracking, and Sending Health