Problem

You are sending email from a Google Workspace account using an alias of your primary domain, and those emails are failing DMARC because neither the SPF or DKIM domains are Aligned even though both SPF and DKIM authentication results in a PASS.



Cause

It is most likely that you have not configured DKIM properly for the alias domain you are using.  This is forcing Google to only use the DKIM signing configured for your primary domain.  Since your primary domain is different than the alias domain used in the 'From' address of the message the DKIM is considered to be 'not aligned'. 


Additional Information

  • Google Workspace always uses your primary domain in the Return‑Path (envelope sender), so SPF alignment will always fail when sending from a domain alias.

  • You cannot fix SPF alignment if you're using an alias domain—it’s intended behavior.

  • DMARC compliance is achievable via DKIM, because Google signs the message using the domain used in the From: header (your alias), and that DKIM‑alignment will satisfy DMARC as long as DKIM is passing and aligned.


Solution

Enable DKIM for the alias domain in Google Workspace.  Refer to google's own documentation for details, but here are some steps you might take for reference.


In the Google Admin Console:

  • Go to Apps > Google Workspace > Gmail > Authenticate email.

  • Select your alias domain from the domain list.

  • Generate a new DKIM key for it (if not already done).

  • Add the provided DKIM TXT record to your alias domain's DNS.

  • Click "Start authentication" once DNS is propagated.