DMARC is all about verifying that the address in the ‘From’ header is the actual sender of the message.
To achieve this, the technical settings to verify senders DKIM and SPF are used.
However, both DKIM and SPF do not require the From header and the user identity for either DKIM or SPF to match.
Alignment means that these domains should match (or a partially match when using a relaxed setup).
For DKIM this means that the domain used to create the signature (and provided through the d= parameter), should match the ‘From’ header.
For SPF this is the domain in the RFC5321.MailFrom (MAIL FROM) portion of SMTP or the RFC5321.EHLO/HELO domain, or both. These may be different domains, and they are typically not visible to the end user. Most of the time the ‘Return-Path’ header is used for this.
Example for DKIM:
You send mail from yourdomain.com using some-esp.com. This ESP correctly signs these mails with a DKIM signature. They do this using their domain some-esp.com. This DKIM signature itself is valid as passes. However, as the signing domain some-esp.com does not match your domain, these messages are not aligned. The ESP should sign the messages using yourdomain.com to make these messages DMARC compliant.
Example for SPF:
You send mail from yourdomain.com using some-esp.com. This ESP has setup bounce processing and therefor use a ‘Return-Path’ header of [email protected]. As you have entered the ESP in your SPF, the SPF will pass. However as the domain in the Return-Path header does not match yourdomain.com, these messages do not align. The ESP should change the Return-Path header or add an aligned DKIM signature.