What’s the difference between SPF alignment failure and security rejection?

SPF alignment failure occurs when the domain in the envelope sender (Return-Path) does not match the domain in the visible From header. This breaks DMARC alignment for SPF, though DKIM can still provide alignment.

Security rejection blocks messages based on detected threats: malware in attachments, phishing patterns in content, or violations of organizational security policies.

The distinction matters for diagnosis. SPF alignment failures appear in DMARC reports and authentication headers. Security rejections typically appear in bounce messages referencing content filtering or security policies.

Fixing alignment requires coordinating your sending infrastructure so domains align properly. Fixing security rejections requires understanding what content or pattern triggered the block.

Alignment failure is a paperwork problem. Security rejection means the cargo itself was refused.