DMARC Failing But DKIM Passes — 5 Root Causes and How to Fix Them

Your DMARC report shows DKIM passing, but messages are still failing DMARC. This is one of the most common and confusing email deliverability problems. A DKIM pass alone is not enough — DMARC has an additional requirement called alignment that catches exactly this scenario.

Understanding DMARC alignment

DMARC does not just check if DKIM passes — it checks if DKIM passes and aligns. Alignment means the DKIM signing domain must match (or share an organizational domain with) the domain in the message From: header.

There are two alignment modes, controlled by the adkim= tag in your DMARC record:

Most domains use relaxed alignment (adkim=r). If your DMARC record does not specify adkim=, relaxed is the default.

Root cause 1: DKIM signing domain mismatch (most common)

The most common cause of "DKIM passes, DMARC fails" is a third-party email service provider (ESP) signing your email with their domain instead of yours.

<!-- DMARC failure: DKIM passes but uses wrong domain -->
<auth_results>
  <dkim>
    <domain>mailchimp.com</domain>   <!-- ESP's domain, not yours -->
    <selector>k1</selector>
    <result>pass</result>            <!-- Signature is valid -->
  </dkim>
</auth_results>
<policy_evaluated>
  <dkim>fail</dkim>   <!-- Fails alignment: mailchimp.com ≠ yourdomain.com -->
</policy_evaluated>

Diagnosis checklist

• Open your DMARC report and find records where policy_evaluated/dkim = fail
• Check the auth_results/dkim/domain field — is it your domain or an ESP domain?
• If it is an ESP domain (mailchimp.com, mcsv.net, amazonses.com, etc.), alignment is the issue

Fix

Configure custom domain DKIM signing in your ESP. Every major ESP supports this:

• Mailchimp: Settings → Domains → Authenticate Domain
• SendGrid: Settings → Sender Authentication → Domain Authentication
• HubSpot: Settings → Marketing Email → Email Sending Domain
• Amazon SES: Configuration → Verified Identities → DKIM
• Salesforce / Pardot: Admin → Email → DKIM Keys

After setup, your ESP will give you CNAME records to add to your DNS. Once propagated, the ESP signs outgoing mail with your domain, and DKIM alignment passes.

Root cause 2: Email forwarding breaks alignment

When a recipient forwards email using server-side forwarding (an alias like info@yourdomain.com → personal@gmail.com), the forwarding server re-delivers the message from its own IP. This breaks SPF, because the forwarding server is not in your SPF record. If the forwarding server also modifies the message body (adding footers, rewriting links), it breaks the DKIM signature too.

<!-- Forwarded message: both fail -->
<source_ip>203.0.113.50</source_ip>   <!-- Forwarding server IP -->
<policy_evaluated>
  <dkim>fail</dkim>   <!-- Message body modified, signature broken -->
  <spf>fail</spf>     <!-- Forwarding IP not in your SPF -->
</policy_evaluated>

Diagnosis checklist

• Look for source IPs that belong to hosting providers or small email servers you do not recognize
• Check if the auth_results/dkim/result is fail (not pass) — forwarding that modifies the body invalidates the signature entirely
• Ask your users if they forward email to a personal account

Fix

Forwarding-induced failures are largely unavoidable. Options:

• Accept the failures — forwarding failures are usually low-count and come from known ISPs. They will not affect your policy enforcement for real senders.
• Encourage users to use redirect (which preserves the original message envelope) instead of forward where possible.
• Note that major providers (Google, Microsoft) support ARC (Authenticated Received Chain), which allows them to recognize forwarded mail and avoid failing it.

Root cause 3: Subdomain policy mismatch

If you send from a subdomain (e.g., From: noreply@mail.example.com) but your DMARC record is only published at the organizational domain level (_dmarc.example.com), the subdomain inherits your policy — but DKIM alignment requires the DKIM d= to match the subdomain or its organizational parent.

With strict alignment (adkim=s), signing with d=example.com fails alignment for From: user@mail.example.com. With relaxed alignment (adkim=r), both share the organizational domain example.comand would align.

Diagnosis checklist

• Check if your From: domain is a subdomain different from the DKIM signing domain
• Check your DMARC record: is adkim=s? If so, relax it to adkim=r
• Verify you do not have a separate DMARC record on the subdomain itself (_dmarc.mail.example.com) with a stricter policy

Fix

Switch to relaxed alignment unless you have a specific reason for strict. In your DMARC TXT record:

v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:dmarc@example.com

Root cause 4: DKIM selector missing or expired

DKIM keys are published in DNS as TXT records under a selector. If the selector record has expired, was deleted, or never existed for the signing domain, the DKIM verification fails cryptographically — so both DKIM and DMARC fail.

This is different from alignment failure. In this case, you will see:

<auth_results>
  <dkim>
    <domain>yourdomain.com</domain>
    <selector>k1</selector>
    <result>permerror</result>   <!-- DNS lookup failed for selector -->
  </dkim>
</auth_results>

Diagnosis checklist

• In your DMARC report, check auth_results/dkim/result — is it permerror or temperror?
• Look up the selector in DNS manually:

  nslookup -type=TXT k1._domainkey.yourdomain.com

• If it returns no records, the key was deleted or never created

Fix

Re-create or re-publish the DKIM key in DNS. Most email providers and ESPs have a section in their settings to regenerate DKIM keys and provide the DNS records to publish. After publishing, allow 24–48 hours for DNS propagation and check your next DMARC report.

Root cause 5: p=reject or p=quarantine applied before alignment is fixed

If you moved to p=quarantine or p=reject before resolving alignment for all legitimate senders, those senders will be blocked or quarantined even though their DKIM signatures are technically valid. The DMARC report will show DKIM passing in auth_results but failing in policy_evaluated— and the disposition will be quarantine or reject.

Fix

Temporarily roll back to p=none, fix alignment for all failing senders, then re-advance your policy incrementally:

1. Set p=none and collect reports for 2 weeks
2. Fix DKIM alignment for all senders with high message counts
3. Set p=quarantine; pct=10 — apply quarantine to 10% of failures
4. Increase pct gradually over 4–6 weeks to 100%
5. Switch to p=reject once quarantine pass rate is stable above 95%

Quick diagnosis table

Frequently asked questions

Why does DMARC fail even when DKIM passes?

A valid DKIM signature on the wrong domain — typically your ESP signing with their domain instead of yours — passes the DKIM check but fails DMARC alignment. DMARC requires both: a valid signature AND a signing domain that matches your From: domain.

Can an email fail DMARC even if both DKIM and SPF raw checks pass?

Yes. If DKIM passes for mailchimp.com and SPF passes for mcsv.net but your From: domain is example.com, both alignment checks fail. DMARC requires at least one of them to be aligned — not just technically valid.

Does email forwarding cause DMARC failures?

Yes. Forwarding breaks SPF because the forwarding server is not in your SPF record. If the forwarder also modifies the message, it breaks DKIM too. ARC (Authenticated Received Chain) is the long-term fix, and major providers like Gmail and Outlook already support it for trusted intermediate forwarders.

The fastest way to identify which specific senders are causing your DMARC failures is to analyze your DMARC report in DMARC Labs. It enriches each source IP with WHOIS data so you can immediately see which service is behind each failure — without manually looking up every IP address.