What is DMARC Alignment?
Alignment is a DMARC concept that ensures the domain being authenticated (via SPF or DKIM) matches the domain visible in the email's "From" header. Without alignment, an attacker could authenticate with their own domain while spoofing yours in the From field — and the email would still pass SPF or DKIM checks.
Why Alignment Matters for Email Security
Consider this scenario without alignment:
- An attacker sends email with
From: ceo@yourcompany.com - The email passes SPF for
attacker.com(their actual sending domain) - Without an alignment check, this could pass authentication
Alignment ensures the authenticated domain relates to the visible sender domain, closing this security gap.
Relaxed vs Strict Alignment
Relaxed Alignment (Default)
With relaxed alignment (adkim=r or aspf=r), the authenticated domain can be a subdomain of the From domain, or vice versa. This is the default mode when alignment tags are omitted from your DMARC record.
Examples that pass relaxed alignment:
| From Domain | Authenticated Domain | Result |
|---|---|---|
| example.com | example.com | Pass |
| example.com | mail.example.com | Pass |
| mail.example.com | example.com | Pass |
| mail.example.com | news.example.com | Pass |
Example that fails:
| From Domain | Authenticated Domain | Result |
|---|---|---|
| example.com | otherdomain.com | Fail |
Strict Alignment
With strict alignment (adkim=s or aspf=s), the authenticated domain must exactly match the From domain. No subdomain matching is allowed.
Examples:
| From Domain | Authenticated Domain | Result |
|---|---|---|
| example.com | example.com | Pass |
| example.com | mail.example.com | Fail |
| mail.example.com | example.com | Fail |
SPF Alignment in Detail
SPF alignment compares two domains:
- The domain in the "From" header (what the recipient sees)
- The domain in the MAIL FROM / Return-Path (used for the SPF check)
Example email:
Return-Path: <bounce@mail.example.com>
From: newsletter@example.com
- Relaxed alignment: Pass — both are in the example.com family
- Strict alignment: Fail — mail.example.com ≠ example.com
DKIM Alignment in Detail
DKIM alignment compares:
- The domain in the "From" header
- The domain in the DKIM signature (
d=tag)
Example:
From: sales@example.com
DKIM-Signature: ... d=example.com ...
- Relaxed: Pass (exact match)
- Strict: Pass (exact match)
Another example:
From: sales@example.com
DKIM-Signature: ... d=marketing.example.com ...
- Relaxed: Pass (subdomain relationship)
- Strict: Fail (not an exact match)
Configuring Alignment in Your DMARC Record
Set alignment modes using the adkim and aspf tags:
v=DMARC1; p=reject; adkim=r; aspf=r
| Tag | Setting | Meaning |
|---|---|---|
adkim=r |
Relaxed DKIM | Subdomain matches allowed |
adkim=s |
Strict DKIM | Exact match required |
aspf=r |
Relaxed SPF | Subdomain matches allowed |
aspf=s |
Strict SPF | Exact match required |
Default is relaxed (r) if not specified.
When to Use Each Alignment Mode
Use Relaxed Alignment When:
- You send email from multiple subdomains
- Third-party services sign DKIM with a subdomain of your domain
- You want maximum flexibility during your DMARC rollout
- You're starting your DMARC journey
Use Strict Alignment When:
- You need maximum security against subdomain spoofing
- You control all sending infrastructure
- You don't use subdomains for email
- Security compliance requirements demand it
Common Alignment Issues
Third-Party Senders
Many third-party email services sign DKIM with their own domain by default:
d=sendgrid.net(won't align with your domain)d=amazonses.com(won't align with your domain)
Solution: Configure these services to use your domain for DKIM signing. Most major email services support custom DKIM domains.
Forwarded Email
When email is forwarded, SPF often breaks because the forwarding server's IP isn't in your SPF record. DKIM usually survives forwarding because the signature travels with the message.
Solution: Rely on DKIM for forwarded email authentication. This is one reason DMARC only requires one of SPF or DKIM to pass (with alignment).
Subdomain Email
If you send from news.example.com but only have DMARC on example.com:
- With relaxed alignment: Works fine
- With strict alignment: May fail depending on configuration
Recommendations
- Start with relaxed — Use relaxed alignment while establishing your DMARC configuration
- Audit your senders — Understand which domains and subdomains send email for your organization
- Configure DKIM properly — Have third-party services sign with your domain
- Consider strict later — Move to strict only if needed and after thorough testing
- Monitor continuously — Use DMARC reports to catch alignment issues before they affect delivery
Next Steps
- Learn about DMARC policies and enforcement levels
- Understand SPF and DKIM authentication in detail
- Check your alignment configuration with our free DMARC Checker