If some of your sources show an SPF alignment percentage close to 0%, there are several possible reasons:
- Your DMARC record has strict alignment enabled.
- Custom Envelope From/Return-Path is not enabled on your email service provider.
- The failing emails have been forwarded by the source.
Let’s go through them one by one.
Strict alignment in your DMARC record
If your DMARC record contains aspf=s
(strict alignment), check whether there’s a misalignment between the Envelope From domain and your organizational/sender domain.
You can do that in the DMARCwise dashboard by choosing a source with SPF alignment issues and looking at the domain in the SPF column: if the SPF domain is a subdomain of your main domain, strict alignment will fail.
You have two options to fix this:
- Remove
apsf=s
to switch to relaxed alignment. This will make sure that subdomains are ignored in DMARC checks and SPF alignment will therefore pass. - Ensure that the emails you send have a strictly aligned Envelope From domain. This isn’t always possible.
Learn more about SPF and alignment in Introduction to SPF.
Enabling custom “Return-Path” or “Envelope From”
Some email providers may allow you to send emails from your domain while having an Envelope From that is shared among many customers.
To achieve SPF alignment in DMARC, the Envelope From domain must align with your sender/From domain.
Learn more about how and why SPF works with the Envelope From domain and not the sender domain.
To fix this, you should check if your provider supports enabling a “custom Envelope From”, often called “custom Return-Path” or “custom MAIL FROM”, interchangeably.
Email providers with partial or no support for SPF alignment
Some email providers have partial support for SPF alignment or don’t support it at all.
If you’re unable to fix SPF alignment with a specific email provider, unfortunately you can’t do much and you must rely on DKIM alignment solely to ensure DMARC alignment.
Some providers that are not capable of sending SPF-aligned emails are Mailchimp and Brevo, while others like HubSpot request a fee for that.
You can find practical information and instructions for the most popular email providers on DMARC.wiki, our directory of email providers and their DMARC compliance level.
Forwarded sources
If you don’t recognize a sending source or the above options aren’t applicable, it’s very likely that some or all emails from the source are the result of automated forwarding.
The reason is that upon forwarding usually DKIM alignment survives, while SPF or SPF alignment fails.
You can safely ignore authentication issues of forwarded emails.
You can learn more on how SPF and forwarding work together in this article.