Google, Alignment and DMARC

laura
March 11, 2025
Best practices

Google has been making a number of changes to their systems over the last few weeks. Folks are seeing a lot of changes in Google postmaster tools and they’re seeing changes in how Google is displaying headers in the “show original” tab.

One thing that some folks were seeing is a message that says:

A screenshot from "Show Original" at google that says:
<p>SPF: Pass with IP 104.224.223.158
DKIM: 'Pass: with domain wordtothewise.com
Alignment: The From header Laura Atkins <laura@carrotcafe.com> does not match the DKIM domain wordtothewise.com. Be careful with this message as the sender may be spoofing the From header identity. " class=“wp-image-17126” srcset="/2025/03/google-alignment-and-dmarc/image-1.png 1660w, /2025/03/google-alignment-and-dmarc/image-1-300x56.png 300w, /2025/03/google-alignment-and-dmarc/image-1-450x84.png 450w, /2025/03/google-alignment-and-dmarc/image-1-150x28.png 150w, /2025/03/google-alignment-and-dmarc/image-1-768x143.png 768w, /2025/03/google-alignment-and-dmarc/image-1-1536x287.png 1536w, /2025/03/google-alignment-and-dmarc/image-1-720x134.png 720w, /2025/03/google-alignment-and-dmarc/image-1-580x108.png 580w, /2025/03/google-alignment-and-dmarc/image-1-320x60.png 320w" sizes=“auto, (max-width: 1660px) 100vw, 1660px”/></figure></p>
<p>This “Alignment” description replaced the DMARC verdict in the header. The interesting thing here is that while DKIM doesn’t align, SPF does pass and so the message technically passed DMARC. </p>
<p>Mike J. on the emailgeeks slack channel mentioned that he noticed that this only seemed to happen when there wasn’t a DMARC policy published for the domain. Well, I can test that! I have multiple domains that do align with SPF, don’t align with DKIM and don’t have current DMARC policies. </p>
<p>We published a DMARC p=none policy for carrotcafe.com and I repeated the test send. </p>
<figure class=

A screenshot from "Show Original" at google that says:
<p>SPF: Pass with IP 104.224.223.158
DKIM: 'Pass: with domain wordtothewise.com
DMARC: 'Pass'" class=“wp-image-17129” srcset="/2025/03/google-alignment-and-dmarc/image-3.png 1686w, /2025/03/google-alignment-and-dmarc/image-3-300x47.png 300w, /2025/03/google-alignment-and-dmarc/image-3-450x70.png 450w, /2025/03/google-alignment-and-dmarc/image-3-150x23.png 150w, /2025/03/google-alignment-and-dmarc/image-3-768x119.png 768w, /2025/03/google-alignment-and-dmarc/image-3-1536x239.png 1536w, /2025/03/google-alignment-and-dmarc/image-3-720x112.png 720w, /2025/03/google-alignment-and-dmarc/image-3-580x90.png 580w, /2025/03/google-alignment-and-dmarc/image-3-320x50.png 320w" sizes=“auto, (max-width: 1686px) 100vw, 1686px”/></figure></p>
<p>So, yeah, that’s pretty definitive. The “alignment” warning pops up when DKIM doesn’t align and when there is no DMARC record published in DNS. If there is a DMARC record published in DNS, then the DMARC results take precedence. </p>
<p>Of course, as a scientist I would be remiss if I didn’t point out what I didn’t test. The conditions I don’t have the ability to test right now are DKIM aligned and passing with no DMARC record. My hypothesis / gut feel is that it would say DMARC pass, but without running the test I can’t say that’s what is happening. </p>
<p>Word of caution, though. These displays and reports do seem to be a bit buggy. Another email geek posted a screenshot that showed DKIM passing and aligned but also with the Alignment warning. In this case the alignment warning said “The From header of @email.example.com does not match DKIM domain email.example.com.” Which is clearly wrong. That message was double DKIM signed, by the customer and by the ESP domain, so it’s possible that there is a bug that needs to be fixed by the developers. </p>
<p>Overall, I think Google is testing how they’re displaying things specifically to the email deliverability space. Most folks don’t look at the “original display” for their emails. I’d even wager the vast majority of folks who do look at this are in deliverability, email, security or some other technology adjacent field. This is something they’re working out how best to show information.</p>
<p>One important thing to remember: the actual headers of these messages show the messages are correctly authenticated. Also, there seem to be no deliverability consequences (yet!) to the lack of alignment. Currently this is a display issue only. I think it does indicate that Google are serious about expecting folks to have DMARC records, even if they’re p=none. I also think it’s telling that they are putting much more value on DKIM passing and they’re ignoring SPF passing in the instance of no DMARC record. </p>
<p>I’ve been saying for more than a year that deliverability is in an era of upheaval and change and I think this is another example of it. We’re not sure what Google is doing, nor what it means. We just need to be a bit patient and keep our eyes open for what’s going on. I do expect it’s going to be a little longer before things settle down. But that’s OK, we’ve done this before, we can do it again.</p>
<p></p>

</div>
<div class=

Setting up a smarthost

Do spamtraps exist?

Should you publish DMARC?

laura
Feb 17, 2016

Industry

I’ve been hearing a lot lately about DMARC. Being at M³AAWG has increased that. Last night we were at dinner and heard from the next table “And they’re not even publishing DMARC!!!!”
I know DMARC is the future. I know folks are going to have to start publishing DMARC records. I also know that the protocol is the future. I am also not sure that most companies are ready for DMARC.
So lets take a step back and talk about DMARC, what it is and why I’m still a little hesitant to jump on the PUBLISH DMARC NOW!! bandwagon.

laura
Apr 8, 2016

Industry

Dear Laura,
I’m a little confused by the term “no auth / no entry”. Gmail and other major receivers seem to be moving towards requiring authentication before they’ll even consider delivery.
Does this just mean SPF and DKIM, or does this mean the much more stringent DMARC, as well?
Thanks,
No Shirt, No Shoes, No What Now?

laura
Jan 8, 2020

At the end of last year, Steve wrote a post about the different types of authentication. I thought I’d build on that and write about the costs associated with each type. While I know a lot of my readers are actually on the sending side, I’m also going to talk about the costs associated with the receiving side and a little bit about the costs for intermediaries such as CRM systems or ESPs.

Google, Alignment and DMARC

Related Posts

Should you publish DMARC?

Ask Laura: Can you help me understand no auth / no entry?

Cost of authentication

Google, Alignment and DMARC

Share :

Related Posts

Should you publish DMARC?

Ask Laura: Can you help me understand no auth / no entry?

Cost of authentication