DMARC (Domain-based Message Authentication Reporting and Conformance) is an authentication mechanism layered on top of SPF and DKIM and is set up to verify if the address in the "From" header is the actual sender of the message. It allows domain owners to tell the recipients how they need to handle the unauthorized use of their email domains thereby protecting their domain.

How does DMARC work?


It works by aligning the domain in the "From" header with the domain validated by SPF or the one present in the DKIM signature. Alignment means that the ‘From’ domain should match with at least one of them. 

To be specific, for DKIM, this means that the domain used to create the signature (look for the "d" parameter in your email's DKIM signature) should match the ‘From’ header.

For SPF, this is the domain in the MAIL FROM portion of SMTP or the EHLO/HELO domain, or both. These may be different domains, and they are typically not visible to the end-user. Most of the time the ‘Return-Path’ header is used for this.

It authenticates if either SPF, DKIM, or both the alignment checks pass. Based on the alignment rules, it is possible that SPF and DKIM authentication themselves pass, but DMARC fails because the domains are not matching as per the policy defined by you.


If you set up a relaxed policy, you'll be fine if they match partially (domain-subdomain). If the policy is strict, the match has to be exact.

What type of a DMARC policy can you set?

DMARC is a text entry that has to be defined and added by the domain owner in DNS records and cannot be added by Freshservice for you. However, to help you understand how alignment will work after completing SPF and DKIM email authentication, here’s an example: 

Custom domain name:

SPF Return-Path address =

"d" parameter in DKIM Signature =

From address:

As you can see, you can set up a strict alignment policy for DKIM because the domain name matches exactly with the “From” address domain. Similarly, you can set up a relaxed policy for SPF alignment for SPF checks to pass. Since DMARC depends on one of them to pass, you should be able to send DMARC-compliant emails without trouble.