Why does Google Postmaster Tools show lower DMARC percentage despite SPF and DKIM alignment being 100%?

Email marketer from StackExchange responds that a common reason for this is DMARC alignment failure. Even if SPF and DKIM pass, if they are not aligned with the domain in the From header, DMARC will fail. This often happens when using a third-party email service and not properly configuring the return-path or DKIM signing domain.

Email marketer from EasyDMARC explains that the key factor is DMARC requires both DKIM and SPF to align with the 'Header From' domain. If SPF or DKIM pass, but do not align then DMARC will fail.

Marketer from Email Geeks suggests the DMARC discrepancies could be from forwards or the use of one domain in the header-from and another for DKIM/SPF.

Email marketer from Reddit shares that forwarding is a frequent cause. When emails are forwarded, SPF often breaks, and while DKIM might still pass, it might not align if the forwarding service uses a different domain. Additionally, they suggest checking DMARC reports to identify specific issues.

Email marketer from EmailAuth explains that if emails are not configured correctly, then DKIM alignment can often be broken and Google Postmaster Tools can report these emails as not valid or as spam. DKIM alignment can only happen when the from address is the same domain as the DKIM domain.

Email marketer from StackExchange explains that a common issue is that emails pass SPF, but are then sent from another server which does not align. He mentions to ensure all sending servers are configured correctly so that emails align, as the DMARC record uses alignment to authenticate emails.

Email marketer from Mailop Forum explains that a lot of the time even if SPF and DKIM are configured correctly the main issue is still with the setup or configuration of the DMARC record itself. Ensuring it's setup correctly is paramount.

Email marketer from GlockApps mentions that email deliverability is often impacted due to incorrect setup of the domain and the SPF/DKIM/DMARC records. These records must be configured correctly so that emails will pass the checks. The email must also align, which means the 'Header From' address matches the domain.

Email marketer from EmailDiscussions.com explains that many ESP's configure DKIM correctly, however the DMARC record needs to be setup correctly so that emails are correctly reported and authenticated. Incorrect configuration can give incorrect results within Google Postmaster Tools.

Email marketer from MailerMailer explains that DMARC alignment is a key factor even if both SPF and DKIM are configured to pass. Forwarding of emails is a key culprit of this issue as forwarding will typically break alignment.

Marketer from Email Geeks explains forwarding can break DKIM (and should replace SPF). Zack suggests that the best way to check if authentication is working is to check DMARC aggregate reports. Zack also mentions the graph shows success not alignment, so if an email is forwarded, DKIM and SPF could both pass with someone else's domain, meaning DKIM and SPF show up as 100% passing but the lack of alignment means DMARC is not passing.

Marketer from Email Geeks suggests that the DMARC discrepancy might be due to the alignment of SPF and DKIM, meaning the client domain isn't used in the return path or as the DKIM signing domain.

Expert from Email Geeks explains that Google Postmaster Tools (GPT) doesn't show alignment data. It shows: SPF data for the domain that is registered, DKIM data for the domain that is registered, and DMARC data for the domain that is registered. Failures will be included in the DMARC reporting. Laura also adds that the data shows a fraction of mail using the registered domain is not aligned and possible reasons include a DNS failure or unauthenticated mail. If there is no DMARC report data to review, then it could be treated as a transient failure.

Expert from Email Geeks clarifies that GPT shows what percentage of mail using a particular domain for authentication actually passes authentication and that isn’t alignment. Laura also explains that it is totally possible for mail to be 100% in alignment, and have a percentage of that mail fail SPF because sending mail from an IP that is not in the SPF record. GPT shows the results of authentication for the authenticated domain. It does not show alignment %.

Expert from Email Geeks explains the DMARC % is where alignment comes into play. Laura says that if GPT is showing that a percentage of the mail failed DMARC, then this means that the mail using that domain did not align with either SPF or DKIM. Laura explains that the specifics of the messages that failed are mailed to the address given in the DMARC record in DNS which will verify exactly what went wrong for those messages.

Expert from Spam Resource explains that the most common reason for this is a failure of DKIM alignment, where the domain in the 'd=' tag of the DKIM signature does not match the domain in the From: header.

Expert from Email Geeks answers what would happen in a scenario where 50% of emails are send by an ESP (SPF pass on their domain) and 50% from a SPF authenticated email server. Laura confirms Google Postmaster Tools (GPT) would show 100% pass because all of the messages from your own server would be SPF authenticated.

Documentation from Google explains that even if SPF and DKIM are passing, DMARC can fail if the domain in the 'From' address doesn't match the domain used to authenticate the email (SPF or DKIM). This is due to DMARC's alignment requirement. Forwarding can also cause issues, as it may break SPF and/or DKIM.

Documentation from Microsoft explains that in addition to SPF and DKIM passing checks, DMARC also requires alignment between the 'Header From' domain that users see and the domain that passed authentication. If an email passes SPF or DKIM without alignment, then DMARC can fail.

Documentation from DMARC.org explains that a lower DMARC percentage despite passing SPF/DKIM often points to alignment issues. DMARC requires either SPF or DKIM to 'align' with the domain in the 'From:' header. SPF alignment means the 'Return-Path' domain must match, while DKIM alignment requires the 'd=' domain to match. If neither aligns, DMARC fails.

Documentation from AuthSMTP explains that it is key to ensure that all SPF and DKIM records are set up correctly and align. An issue that often occurs is that the DNS records and authentication methods aren't configured properly and emails can therefore be marked as spam.