Most ecommerce email teams know they need SPF, DKIM, and DMARC. Fewer know what domain alignment is — and it’s the gap between authentication that looks correct and authentication that actually protects your deliverability.
Here’s the version of this I see most often: a brand sets up Klaviyo, follows the onboarding steps, sees green checkmarks in the settings panel, and assumes authentication is done. Their SPF and DKIM records exist. But their emails are failing DMARC because the domains being authenticated don’t match the domain their subscribers see in the From field. That’s an alignment failure — and it compounds quietly over every send.
Domain Alignment — Technical Foundation
Study: InboxEagle’s 2.2M email analysis found DMARC-failing emails land in spam 1.84× more often (30.75% vs 16.7%). See the full breakdown →
What Domain Alignment Actually Means
Authentication and alignment are not the same thing — and treating them as interchangeable is where most brands go wrong.
SPF checks whether the server sending your email is authorized. DKIM checks whether the message was cryptographically signed. Both are binary — pass or fail. But neither checks whether those verifications belong to the domain your subscriber sees in their inbox.
That’s alignment’s job. DMARC requires that at least one of SPF or DKIM passes and that the domain it validates matches your visible From address. The “domain-based” in DMARC’s name isn’t decorative — it’s specifically about whether the From domain your subscribers see is the same domain that’s been authenticated.
When alignment fails, DMARC fails. And when DMARC fails, the inbox placement impact is immediate. InboxEagle’s 2.2 million email study found that DMARC-failing emails land in spam 30.75% of the time versus 16.7% for DMARC-passing emails — nearly double the spam rate. That gap traces directly back to alignment.
SPF Alignment vs. DKIM Alignment: One Matters More
Both SPF and DKIM have their own alignment checks, and they work differently.
SPF alignment checks the envelope From — the Return-Path domain used by servers behind the scenes — against your visible header From address. When your emails bounce, the Return-Path is where they go, and it’s typically your ESP’s domain, not yours. That means SPF alignment fails whenever the envelope and header From domains don’t match — which is routine with most ESPs.
DKIM alignment checks the d= domain in your DKIM signature against your visible From address. This is the more important of the two. Per Google’s own guidance, DKIM is the preferred alignment path specifically because the DKIM signature travels with the message. It survives email forwarding. SPF checks the sending server — and forwarded emails change servers, so SPF alignment frequently fails on forwarded mail regardless of original configuration.
The practical implication: DMARC only requires one of the two to align. If DKIM aligns, a failing SPF alignment doesn’t kill your DMARC pass. Focus your alignment effort on DKIM, not SPF.
Relaxed vs. Strict Alignment: Which One to Use
DMARC lets you choose between two alignment modes for each check. Most senders never think about this setting — but it determines whether your branded subdomain setup works at all.
| Relaxed (Default) | Strict | |
|---|---|---|
| What it requires | Same organizational domain | Exact domain match |
| Example: From = brand.com, DKIM d= mail.brand.com | ✅ Passes | ❌ Fails |
| Example: From = brand.com, DKIM d= brand.com | ✅ Passes | ✅ Passes |
| Example: From = brand.com, DKIM d= klaviyomail.com | ❌ Fails | ❌ Fails |
| Best for | Most ecommerce senders | Full-control transactional setups |
| DMARC record setting | aspf=r; adkim=r (default) | aspf=s; adkim=s |
Relaxed alignment is correct for almost every ecommerce sender. It’s what makes Klaviyo’s branded subdomain setup work: you send from you@brand.com, Klaviyo signs with d=mail.brand.com, and relaxed DKIM alignment passes. PowerDMARC’s analysis confirms the default DMARC record uses aspf=r; adkim=r for exactly this reason.
Don’t override to strict unless you’ve confirmed every sending source in your infrastructure uses the exact root domain in their authentication — which is rare in any setup involving third-party ESPs, transactional providers, or CRMs.
Note: Reaching p=quarantine or p=reject DMARC (which requires full alignment) is also the prerequisite for BIMI verified checkmarks in Gmail and Yahoo — a brand trust signal that’s worth the alignment work.
The Klaviyo Alignment Problem Most Brands Don’t Know They Have
Klaviyo’s default configuration signs outgoing mail with d=klaviyomail.com — not your brand’s domain. That’s a DKIM alignment failure on your brand domain for every send, and all sender reputation accrues to Klaviyo’s infrastructure instead of building equity in your domain.
The fix: switch to a branded sending domain in Klaviyo (Settings → Email → Sending Domains). Klaviyo then signs with your custom subdomain, which relaxed alignment reads as matching your brand. See Klaviyo’s deliverability setup and DMARC alignment notes → Full step-by-step DNS setup →
Three Alignment Mistakes That Quietly Break Deliverability
1. Multiple ESPs sharing the same DKIM selector. If you’re using Klaviyo for marketing and a separate provider for transactional emails, make sure each uses a unique DKIM selector name (the s= tag in the signature, e.g., s=klaviyo2026). Shared selectors cause key rotation conflicts that produce intermittent DKIM failures — and intermittent failures are the hardest to diagnose because they don’t appear consistently.
2. Panicking about Return-Path mismatches. Many teams see the Return-Path in their email headers showing an ESP domain and assume something is broken. For SPF alignment, this does create a mismatch — but if DKIM alignment is passing, DMARC passes regardless. Don’t chase SPF alignment if DKIM is already clean. One passing alignment is enough. (Note: Microsoft’s Outlook enforcement added a third mailbox provider that explicitly checks this.)
3. Assuming records mean alignment. Having SPF, DKIM, and DMARC records published does not mean they’re aligned. The records can exist and authenticate correctly on your ESP’s domain while your brand domain gets zero DMARC credit. It’s the most common setup in ecommerce today, and it’s what the state of email authentication data shows: 94% of brands have records, far fewer have alignment working correctly on their own domain.
How to Verify Your Alignment Right Now
Send a test email from your live Klaviyo account to a Gmail address you control. Open the message, click the three-dot menu, and select “Show original.” In the raw headers, find the Authentication-Results line:
dkim=pass header.d=klaviyomail.comIf header.d shows your ESP’s domain instead of your brand domain, you have a DKIM alignment failure. A properly aligned setup looks like:
dkim=pass header.d=mail.yourbrand.comThat 30-second check tells you more about your alignment health than any dashboard. Run it after any ESP migration, any DKIM key rotation, or any time you add a new sending service. The email deliverability checklist includes this as part of a full authentication audit — and the complete deliverability guide covers where alignment fits in the broader foundation of inbox placement.
Reading DMARC Aggregate Reports to Diagnose Alignment at Scale
For high-volume senders, the raw Gmail test catches point-in-time alignment, but DMARC aggregate reports (rua) show you alignment failures across your full sending infrastructure. If you’ve configured DMARC reporting (which you should have), you receive daily XML reports from ISPs showing every sending source and whether it passed or failed alignment.
Look for the dkim element in the report XML:
<dkim_align>relaxed</dkim_align>
<auth_results>
<dkim>
<domain>mail.yourbrand.com</domain>
<result>pass</result>
</dkim>
</auth_results>If you see multiple <domain> entries with different values — like mail.yourbrand.com, klaviyomail.com, and a transactional provider’s domain — that’s a sign you have multiple sending sources. Each one needs its own DKIM alignment to your brand, or you need to consolidate signing to a single subdomain. This is particularly common when you layer marketing automation + transactional mail + abandoned cart flows across different platforms.
Brands with 3+ sending services often find alignment failures on one or two sources while others pass — the aggregate report reveals which sending source is the problem.
What Changed in 2025–2026: Why Alignment Enforcement Has Accelerated
Alignment went from “recommended practice” to enforcement requirement. Here’s what shifted:
Google’s 2024 requirements are fully enforced — All bulk senders must pass DMARC by February 2024 (deadline met). Google now explicitly evaluates DKIM alignment pass rates in Postmaster Tools and factors them into Gmail’s spam filtering. Google Email Sender Guidelines specify that DKIM alignment is the preferred authentication path.
Microsoft joined in May 2025 — Outlook now enforces SPF, DKIM, and DMARC for all bulk senders (>5,000 emails/day). This extends alignment requirements beyond Gmail to 300M+ Outlook/Hotmail users. Microsoft’s bulk sender requirements guide covers the full enforcement timeline.
Google Postmaster Tools v2 — The reputation score cards (High/Medium/Low) were retired in September 2025. The new Compliance Dashboard shows alignment pass/fail rates directly, making it impossible to ignore: you now see exactly what percentage of your mail authenticates on your brand domain vs. your ESP’s domain. Google Postmaster Tools guide walks through the new interface.
BIMI as the alignment milestone — Brands that achieve p=quarantine or p=reject DMARC (which requires full alignment) now qualify for BIMI verified checkmarks in Gmail and Yahoo. BIMI adoption accelerated through 2025 as a brand trust signal, which means alignment went from infrastructure detail to competitive differentiator. BIMI and compliance certificates guide covers the prerequisites.
The practical implication: alignment isn’t optional anymore. It’s the price of admission to mainstream mailbox provider infrastructure.
The Bottom Line
Domain alignment is the step that turns authentication from a compliance checkbox into a reputation asset. Most ecommerce brands have the records. Getting them to align on the domain their subscribers actually see is what closes the gap.
- Authentication ≠ alignment — SPF and DKIM can pass on your ESP’s domain while your brand domain fails DMARC entirely
- DKIM alignment is what matters most — it survives email forwarding, travels with the message, and is what Gmail and Yahoo primarily evaluate
- Relaxed alignment is correct for most ecommerce senders —
mail.brand.comDKIM aligns withbrand.comFrom; no exact match required - Klaviyo’s default setup doesn’t align on your brand domain — branded sending domain is a 10-minute DNS fix with compounding reputation benefit
- One passing alignment is enough — DMARC passes if DKIM aligns, even if SPF doesn’t; Return-Path mismatches aren’t the problem
- Check the raw headers — it’s the only way to know with certainty what domain your delivered emails are authenticating under
See your full authentication and alignment health with InboxEagle →
Sources
- Klaviyo Help Center — Understanding Email Authentication
- PowerDMARC — DMARC Alignment Explained: Strict vs. Relaxed
- Valimail — What Is DMARC Alignment?
- Google Email Sender Guidelines
- dmarcian — DMARC Alignment
Note: Content created with the help of AI and human-edited and fact-checked to avoid AI hallucinations.
