Picture two locks on a front door. One is a deadbolt, one is a knob lock. A visitor only needs one of them keyed correctly to get in. That is how DMARC works today. Either SPF aligns or DKIM aligns and the message passes.
Now picture a scenario where the homeowner decides both locks need to work. The same key must open both. That is where the industry is heading with DMARC, and most senders have no idea.
The Quiet Policy Shift at the Top of the Stack
I started noticing anomalies in client aggregate reports about eighteen months ago. Gmail was delivering messages that should have passed DMARC, but scoring them as if they had not. When I looked at the raw data, there was a pattern. Messages with only SPF alignment were getting treated differently from messages with both SPF and DKIM alignment. Nothing in the public documentation explained this.
Then in late 2025, Yahoo began publishing signal data in their sender hub that made the scoring explicit. Messages with dual alignment got a positive reputation bump. Messages with only SPF alignment got flagged as "forward-susceptible." Our breakdown of Yahoo Sender Hub versus Google Postmaster Tools covers how each platform surfaces this, but the signal is the same: SPF alone is becoming second-class authentication.
The DMARC RFC has not changed. Technically, a message with only SPF alignment still passes. Practically, the major receivers are treating that pass as weaker than a message with both aligning. Do not expect an announcement. Expect a slow squeeze over the next eighteen months where your deliverability drops by a few percentage points each quarter if you rely only on SPF.
Why SPF Alignment Is the Weaker Signal
SPF checks whether the sending IP is authorized by the domain's SPF record. DMARC alignment then requires that the SPF domain match the From domain in some fashion (aligned or relaxed mode).
Three things break SPF in the real world. First, forwarding. When a user forwards a message, the forwarding server becomes the new sender. Unless that server is listed in your SPF, SPF fails. Second, SPF record complexity. SPF has a 10 DNS lookup limit. Organizations with multiple senders blow through that easily and end up with permerror results. Third, ESP shared pools. If your ESP sends through a shared IP range and you are using a sender address at your root domain, alignment can break depending on how the ESP configures the Return-Path.
DKIM, by contrast, is a cryptographic signature on the message itself. It travels with the email. Forwarding does not strip it. Complex DNS setups do not affect it. Shared IP pools are irrelevant because DKIM is tied to the signing domain, not the sending IP. That is why receivers trust DKIM alignment more than SPF alignment.
The Forwarding Problem
The single biggest reason the industry wants both SPF and DKIM aligning is forwarding. The receiver cannot tell whether a forwarded message was legitimate or spoofed using SPF alone because SPF naturally fails on forward. DKIM survives forwarding in most cases. A receiver that sees DKIM alignment can say with confidence that the message was originally authenticated even if SPF now fails. A receiver that sees only SPF alignment has to assume the message did not forward and cannot vouch for its origin.
This matters because forwarding is everywhere. Corporate email aliases forward to personal Gmail. Distribution lists relay messages through mailing list servers. Security gateways rewrite headers as part of their scanning. Every one of these operations can break SPF while preserving DKIM. A domain that relies only on SPF for DMARC alignment is handing the receiver a signal that fails exactly when the message is most likely to look suspicious.
I had a nonprofit client last year where 12 percent of their email volume was going to members who had forwarded their work email to personal Gmail. SPF was failing on every one of those messages. DKIM was passing because we had it configured correctly. DMARC passed because either one is enough today. But in the Gmail dashboards, we could see that these forwarded messages were getting a 0.3 percentage point lower open rate than messages delivered directly. Same content. Same subject lines. The only difference was which authentication method aligned.
What Dual Alignment Actually Looks Like
Dual alignment means both of the following are true for a given message:
- The Return-Path domain (SPF) aligns with the From domain.
- The DKIM d= signing domain aligns with the From domain.
Both SPF and DKIM can be aligned "relaxed" (matching the organizational domain) or "strict" (matching exactly). Most deployments use relaxed alignment. Achieving dual alignment with relaxed mode is usually straightforward if you are running your own DNS and using a properly configured ESP.
The ESPs that make this hard are the ones that default to sending with their own domain in the Return-Path and sign with a DKIM key in their subdomain. You end up with something like bounces@esp-example.com in the Return-Path and d=esp.example.com in the DKIM signature. Neither aligns with your From domain of news@yourcompany.com. Both SPF and DKIM pass for the ESP, but DMARC fails because neither aligns with the visible From address.
The fix is custom domain configuration. Every reputable ESP offers this: Mailgun, SendGrid, Postmark, Mailchimp, Klaviyo, Customer.io, Braze, and the rest. You add DNS records that let the ESP send through bounces.yourcompany.com and sign with d=yourcompany.com. Both align with your From domain. Both contribute to DMARC.
If you are running a single ESP with proper custom domain setup, dual alignment is your default. If you are running multiple ESPs or have not done custom domain configuration, you have work ahead.
Checking Your Current Alignment Status
You do not need to guess whether you have dual alignment. Aggregate reports tell you directly. Every report includes per-source data showing whether SPF aligned, whether DKIM aligned, and whether DMARC overall passed.
Open your DMARC parser. Filter to the last 30 days. For each source IP that represents legitimate mail, check three numbers:
- Percent of messages with SPF pass and SPF alignment.
- Percent of messages with DKIM pass and DKIM alignment.
- Percent of messages with both.
The number three is your dual alignment rate per source. If your marketing ESP shows 99 percent SPF alignment but only 60 percent DKIM alignment, you have a DKIM setup problem. Probably your ESP is still signing with their default domain.
A healthy dual alignment rate is above 95 percent per legitimate source. Anything below 90 percent is a meaningful gap that will cost you deliverability as receivers weight the signal more heavily.
If you want a deeper walk-through of the authentication stack itself, our explainer on SPF, DKIM, and DMARC covers the mechanics in more depth. Read that first if any of the above feels unfamiliar.
Multi-ESP Audits Are the Hardest Part
The single hardest thing to fix is a company running three or more ESPs on the same domain. Marketing uses Klaviyo. Transactional runs through Postmark. Sales outreach uses Outreach. Customer support sits on Zendesk. Each of these sends from hello@yourcompany.com or some similar address.
For dual alignment to work across all of them, every single ESP needs custom domain configuration pointing at yourcompany.com. That means four sets of DNS records. It means four DKIM keys. It means four bounce subdomains that you manage centrally.
I did this audit for an ecommerce client in February. They had six ESPs signing mail from their root domain. Three had proper custom domain setups. Three were using the ESP defaults. After fixing the three defaults, their DMARC pass rate on marketing mail jumped from 89 percent to 99.4 percent, and their Gmail tab placement improved visibly in the following weeks.
The lesson: if you have not audited your ESP configuration in two years, you probably have at least one ESP signing with the wrong domain. Fixing it is free. It just requires about two hours of DNS work per ESP.
Why SPF Still Matters Even If DKIM Is More Important
None of what I have said means SPF is obsolete. It still blocks IPs that are not authorized to send for your domain. It still protects against the simplest spoofing attempts. It still contributes to reputation signals at receivers like Outlook.
What it does mean is that SPF cannot be your only aligned authentication. If you set up SPF correctly and never bother with custom DKIM, you are authenticated for today and will suffer under tomorrow's scoring rules. The cost of setting up DKIM alignment is trivial compared to the deliverability upside, and it is the one that survives forwarding.
Do both. Do both correctly. Treat SPF and DKIM as complementary, not alternatives. This is the shift in framing that separates senders who will still be reaching the inbox in 2028 from those who will be wondering why their open rates keep sliding.
Preparing for the Dual Alignment Requirement
I do not expect DMARC 2.0 to land soon. What I expect is continued receiver-side pressure that treats dual alignment as the gold standard while allowing single alignment to degrade slowly. Here is the preparation sequence I recommend.
First, audit your aggregate reports for alignment rates per source. This takes one hour if you have a parser configured, a week if you do not. Do not skip this step. Most teams will find at least one surprise.
Second, fix any ESP without custom domain authentication. Walk through the setup flow for each one. It usually takes ninety minutes of work across DNS changes and ESP dashboard updates per provider.
Third, monitor for two weeks. Alignment changes can take 24 to 72 hours to propagate fully. Aggregate reports catch up on a daily cycle, so you will see your before-and-after numbers within a week.
Fourth, move DMARC policy forward. If you are at p=none, use the improved alignment as your cue to publish p=quarantine. If you are at p=quarantine, move to p=reject. Every step toward enforcement compounds with dual alignment to produce stronger authentication signals at the receivers.
Fifth, keep your list clean. I mention this in every post for a reason. Bad recipients mean bounces, and bounces mean reputation damage that overwhelms authentication gains. A weekly hygiene routine that runs your list through bulk email verification costs very little and prevents the biggest single source of reputation harm. This connects to alignment indirectly: receivers looking at a sender with great authentication but a 5 percent bounce rate still treat them as low trust. Get both right together.
One Counterintuitive Thing
Here is something you will not hear often: SPF hard-alignment (strict mode) is sometimes worse than not having SPF at all. Strict SPF alignment requires the Return-Path domain to match the From domain exactly. If your ESP rewrites the Return-Path for bounce handling and it does not match your exact subdomain, strict alignment fails constantly. Most DMARC records use relaxed alignment anyway, but the configuration option exists and I have seen it cause real outages.
Stick with relaxed alignment for both aspf and adkim unless you have a specific reason otherwise. The marginal security benefit of strict alignment is not worth the false failure rate.
Contrarian Take: Most DKIM Key Rotation Advice Is Wrong
While we are here, let me push back on advice I see repeatedly: rotate DKIM keys every 90 days. This comes from an old best-practices document and made sense when everyone used 1024-bit keys that could theoretically be factored. With 2048-bit keys, which every modern ESP provides by default, rotation every 90 days is security theater.
Rotate when you have reason to believe a key is compromised. Rotate when moving to a new signing provider. Rotate if you are required to by compliance. Otherwise, leave your DKIM keys alone. Frequent rotation introduces real deliverability risk because propagation delays cause temporary DMARC failures, and you gain almost nothing security-wise.
This matters for alignment because rotation errors are a surprisingly common reason for sudden drops in DKIM alignment rates. I have seen teams discover they are rotating keys on a cron job nobody remembers setting up, and each rotation causes a two-day alignment drop that shows up in their DMARC reports but nowhere else.
What to Do This Week
Open your DMARC reporting tool. Find the alignment percentages per source for the last 30 days. Flag any source below 95 percent dual alignment. For each flagged source, open the ESP's custom domain authentication docs. Work through the DNS setup for each one. Budget two hours per ESP. You will be surprised how much of your future deliverability comes down to a few missing DNS records.
If you are thinking about this for the first time, start with your highest-volume sender. That is where the alignment improvement will have the biggest impact on your reputation signals. Work outward to your lower-volume senders over the next month. By June you will have dual alignment everywhere and will be ready for whatever the next receiver-side policy shift brings.
The receivers are not waiting for senders to catch up. They are already weighting dual alignment more heavily. The only question is whether you notice the shift when you look at your data, or whether you notice it six months from now when your inbox placement has slid 5 percent and you cannot explain why.
One last thing worth saying. Every time I run this audit for a new client, there is at least one surprise that would have been easy to catch months earlier. Last week it was a password reset email from a legacy billing system that had never been migrated off a 2018-era authentication setup. The week before it was a HubSpot workflow that had been sending out of a misconfigured subdomain for six months. The audit always pays for itself. Put time on the calendar. Do it before the receivers force your hand. And if you run into a case you cannot figure out, come back to the causes of low deliverability reference and work backward from symptoms to root cause.