---
title: "Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check? | DuoCircle"
description: "Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/why-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc/"
---

Quick Answer

An email can pass SPF and DKIM individually but still fail DMARC because DMARC adds identifier alignment on top. SPF checks the RFC5321.MailFrom domain and DKIM checks its d= signing domain, but DMARC requires that one of those domains also align with the visible From-header domain. In strict mode the domains must match exactly; in relaxed mode they only need to share an organizational domain. So if a vendor sends as manufacturernewsletter.com on behalf of manufacturer.com, SPF and DKIM can pass against the vendor domain while DMARC fails because nothing aligns with the From-header. Fix it by signing with a DKIM key under your own domain (vendor handles a CNAME) or by setting the Return-Path to a subdomain of yours that authorizes the vendor in SPF.

Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/07/Why-an-email-sent-by-a-third-party-vendor-passed-SPF-DKIM-checks-but-failed-the-DMARC-check.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fwhy-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Why%20an%20email%20sent%20by%20a%20third-party%20vendor%20passed%20SPF%2FDKIM%20checks%20but%20failed%20the%20DMARC%20check%3F&url=undefined%2Fblog%2Fdmarc%2Fwhy-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fwhy-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fwhy-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc%2F&title=Why%20an%20email%20sent%20by%20a%20third-party%20vendor%20passed%20SPF%2FDKIM%20checks%20but%20failed%20the%20DMARC%20check%3F "Share on Reddit") [ ](mailto:?subject=Why%20an%20email%20sent%20by%20a%20third-party%20vendor%20passed%20SPF%2FDKIM%20checks%20but%20failed%20the%20DMARC%20check%3F&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fwhy-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc%2F "Share via Email") 

![Email sent by a third-party](https://media.mailhop.org/duocircle/images/2024/07/Office-365-to-Office-365-migration-6824.jpg) 

[DMARC](/email/dmarc) helps prevent [spoofed emails](https://www.csoonline.com/article/655217/microsoft-american-express-most-spoofed-brands-in-financial-services-phishing-emails.html) from bypassing [spam filtering](/email/spam-filtering), but it’s just one part of a broader **anti-spam strategy**. Not all DMARC reports are equal; some show detailed recipient responses, while others only indicate success or failure. _Understanding why a message failed is as important as knowing if it did_.

When SPF is used, it **checks the domain** in the [RFC5321.MailFrom](https://www.easy365manager.com/rfc-5321-and-rfc-5322/) (also called “ReturnPath”) to find the [SPF record](/content/spf-records). After a successful SPF check, the receiver gets an “Authenticated Identifier,” which is the RFC5321.MailFrom domain.

This article will explore **why DMARC fails** for third-party email senders.

[![spam filtering](https://media.mailhop.org/duocircle/images/2024/07/Spam-Filtering-Statistics.jpg)](https://media.mailhop.org/duocircle/images/2024/07/Spam-Filtering-Statistics.jpg)

## Why does DMARC fail for emails sent by third-party vendors?

If there are any third-party vendors that are associated with your business and are required to send emails on your behalf, then you **must enable SPF, DKIM, and DMARC** for your email-sending domain. There are two ways to do this, either you ask your vendor to handle [email authentication](/resources/email-authentication) on your behalf, or you handle everything. 

If emails sent from the [Gmail domain](/email-security/how-to-fix-the-550-5-7-26-unauthenticated-sender-error-in-gmail/) are failing the DMARC test, check your SPF record to see if you have included **\_spf.google.com**. _Receiving servers may not recognize Gmail as your authorized sending source, causing emails to fail the DMARC check altogether._ 

We have listed below another possible reason for this failure.

### Identifier alignment issue

Identifier alignment is a relatively new DMARC element that requires the domain in the [‘From’ header of an email](https://www.gmass.co/blog/email-header/) to match or align with the domain used in the SPF and/or DKIM authentication checks. There are two alignment modes: **strict and relaxed**.

If you have applied strict alignment, then the domain in the “From” header **must match exactly** with the domain in the [SPF](/content/spf-record-check) “Mail From” or the DKIM “d=domain”.

As for the relaxed alignment, the domain in the “From” header **must be a subdomain** of the domain used in SPF or [DKIM](/resources/what-is-dkim) or vice versa.

> _Identifier alignment is **necessary** because anyone can set up SPF and DKIM for any email._

For example, a [threat actor](https://www.scmagazine.com/news/fbi-warns-of-email-spoofing-by-north-korean-threat-actor-kimsuky) could create the domain personal.net to spoof emails from manufacturer.com, and even if SPF and DKIM pass, it **doesn’t mean the email is genuinely** from manufacturer.com.

Email receivers **can’t keep track** of which domains are associated with each other, they need to process emails quickly without figuring out the details. For instance, if your email service provider uses “manufacturernewsletter.com” for SPF and DKIM while sending emails for manufacturer.com, receivers can’t tell if manufacturernewsletter.com is legitimate, a [phishing site](https://www.theguardian.com/technology/2024/apr/18/students-turning-to-cyberfraud-as-huge-phishing-site-infiltrated-police-reveal), or related to manufacturer.com.

_Identifier alignment ensures that email authentication technologies are **relevant to the actual content** of the email._

[![Email spoofing](https://media.mailhop.org/duocircle/images/2024/07/dkim-selector-3.jpg)](https://media.mailhop.org/duocircle/images/2024/07/dkim-selector-3.jpg)

## We can help

We at **DuoCircle** are dedicated to bolstering [email security](/) for domain owners so that they can dodge [email-based cyber menaces](https://www.edgemiddleeast.com/security/revealed-email-attacks-surged-by-222-in-2023). [Contact us](/contact) to avoid [DMARC failures](/dmarc/causes-and-solutions-of-dmarc-failures/) due to folly or genuine technical issues. We take care of everything for you.

## Topics

DMARCemail securityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 5m  A Guide to Advancing DMARC Policies for Enhanced Email Deliverability  Jan 19, 2024 ](/blog/dmarc/a-guide-to-advancing-dmarc-policies-for-enhanced-email-deliverability/)[  DMARC 5m  How to check DMARC compliance for any domain  Jun 25, 2024 ](/blog/dmarc/a-guide-to-checking-dmarc-compliance/)[  DMARC 6m  A guide to detecting DMARC problems using the pentesting techniques  Oct 3, 2024 ](/blog/dmarc/a-guide-to-detecting-dmarc-problems-using-the-pentesting-techniques/)[  DMARC 8m  How to publish a DMARC record for your domain (with example)  Jun 12, 2024 ](/blog/dmarc/a-guide-to-publishing-dmarc-records-for-your-domain/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?","description":"Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?","url":"https://www.duocircle.com/blog/dmarc/why-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc/","datePublished":"2024-07-09T13:29:06.000Z","dateModified":"2025-05-23T13:47:14.000Z","dateCreated":"2024-07-09T13:29:06.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/why-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc/"},"articleSection":"dmarc","keywords":"DMARC, email security, Updates","wordCount":492,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/Office-365-to-Office-365-migration-6824.jpg","caption":"Email sent by a third-party","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?","item":"https://www.duocircle.com/blog/dmarc/why-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?","item":"https://www.duocircle.com/blog/dmarc/why-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?","description":"Why an email sent by a third-party vendor passed SPF/DKIM checks but failed the DMARC check?","url":"https://www.duocircle.com/blog/dmarc/why-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc/","datePublished":"2024-07-09T13:29:06.000Z","dateModified":"2025-05-23T13:47:14.000Z","dateCreated":"2024-07-09T13:29:06.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/why-email-from-third-party-vendor-pass-spf-dkim-but-fail-dmarc/"},"articleSection":"dmarc","keywords":"DMARC, email security, Updates","wordCount":492,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/Office-365-to-Office-365-migration-6824.jpg","caption":"Email sent by a third-party","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```