How to resolve DMARC failures due to SPF alignment issues when using Customerly
Learn why DMARC reports might show SPF failures even when SPF is properly configured, and how to fix this by updating your DMARC policy for relaxed SPF alignment when using Customerly to send emails on your behalf.
Why you’re seeing SPF failures in DMARC reports
If you’re using Customerly to send emails on behalf of your domain and you’ve started receiving DMARC reports showing SPF failures, you’re not alone. Even with a correctly set up SPF record, some messages may not align perfectly with your domain. This results in DMARC flagging them—even when SPF and DKIM themselves are technically passing.
Let’s break down what’s happening and how to fix it.
What’s happening behind the scenes?
DMARC evaluates two key factors to determine if an email is legitimate:
• SPF (Sender Policy Framework): Checks if the sending server is authorized to send on behalf of the domain.
• DKIM (DomainKeys Identified Mail): Verifies if the message has been tampered with in transit by validating the email’s digital signature.
But DMARC also includes alignment checks, meaning the domain in the “From” header (the one your users see) must match the domains used in SPF and DKIM checks.
In Customerly’s case, emails are sent via a subdomain like delivery.customerly-mail.com, while signed using your domain (e.g., yourdomain.com). This difference in the envelope-from (SPF) and header-from (visible sender) causes a failure in SPF alignment, even though SPF and DKIM themselves are passing.
Example from your report
You might see something like this in your DMARC report:
auth_results:
dkim: pass
spf: pass
policy_evaluated:
spf: fail (due to alignment)That’s because:
• The message is signed with yourdomain.com (DKIM – pass).
• It’s sent from delivery.customerly-mail.com (SPF – pass).
• But DMARC requires the sending domain (delivery.customerly-mail.com) and the visible domain (yourdomain.com) to align unless you’re using relaxed alignment.
The solution: update your DMARC policy for relaxed SPF alignment
To resolve this, you don’t need to change your SPF record (it’s already correct). Instead, adjust your DMARC policy (check also here) to use relaxed alignment for SPF and DKIM.
Here’s the recommended DMARC record:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@your-domain.com; aspf=r; adkim=r; pct=100;Here’s what the key tags mean:
• aspf=r: Enables relaxed SPF alignment, allowing partial domain matches (like subdomains).
• adkim=r: Enables relaxed DKIM alignment, although your DKIM is already aligned.
• p=quarantine: Instructs mailbox providers to quarantine failing emails instead of rejecting them outright.
If you’re currently using p=none, you’re only monitoring—not enforcing—DMARC policies. That’s okay for initial testing, but if you plan to improve email security and delivery, switching to quarantine with relaxed alignment is the best next step.
How to update your DMARC record
1. Log into your DNS provider’s dashboard.
2. Locate the TXT record for _dmarc.your-domain.com.
3. Replace or modify the value to:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@your-domain.com; aspf=r; adkim=r; pct=100;4. Save and propagate the changes (this may take a few hours).
What to expect after the update
Once updated:
• Emails sent via Customerly will pass DMARC checks as long as either SPF or DKIM passes with relaxed alignment.
• You’ll maintain email deliverability and preserve security.
• DMARC reports will show fewer (or no) alignment failures for Customerly-sent messages.
Still need help?
If you’re not sure how to update your DNS records, or would like us to verify your settings, feel free to reach out to our support team. We’re always happy to help!
Did this answer your question?