Concept

DMARC alignment: relaxed vs strict, SPF vs DKIM

Alignment is the rule that decides whether an SPF or DKIM pass actually counts as a DMARC pass. Most domains that get spoofed have SPF and DKIM working but mis-configured alignment.

TL;DR

  • 1 DMARC requires the visible From domain to ALIGN with the domain that authenticated.
  • 2 Relaxed alignment allows subdomains (mail.brand.com aligns with brand.com); strict requires exact match.
  • 3 An attacker who passes SPF with their own envelope-from but spoofs your From header fails alignment and DMARC.
Why "SPF pass" isn't enough — DMARC alignment
Aligned → DMARC passes Header From: ceo@yourdomain.com SPF auth domain: return-path@mail.yourdomain.com DKIM signing domain: d=yourdomain.com All three share yourdomain.com Not aligned → DMARC fails Header From: ceo@yourdomain.com SPF auth domain: bounces.sendgrid.net DKIM signing domain: d=sendgrid.net SPF/DKIM pass on sendgrid.net, not yours

DMARC requires SPF or DKIM to align with the visible From: domain. An ESP sending on your behalf may pass both checks under its own domain and still fail DMARC because neither aligns with yours.

What it does

Alignment is the bridge between low-level auth (SPF, DKIM) and DMARC's per-domain enforcement. Without alignment, an attacker could pass SPF using their own infrastructure while putting your domain in the visible From header — DMARC's whole point is to close that gap.

SPF alignment compares the visible From domain to the envelope-from domain (the bounce address). DKIM alignment compares the visible From domain to the d= tag on the signature. DMARC passes when either one aligns AND the underlying check passes.

Relaxed alignment (the default) treats any subdomain as a match — mail.brand.com aligns with brand.com. Strict alignment requires an exact match. Most domains should stay on relaxed; strict is only for orgs that need surgical control.

How it works

  1. 1

    The receiver extracts the visible From domain from the message header.

  2. 2

    It checks SPF on the envelope-from domain. If SPF passes AND envelope-from aligns with From under adkim/aspf mode, SPF-DMARC passes.

  3. 3

    It checks DKIM on the d= tag of each signature. If any DKIM signature verifies AND its d= aligns with From, DKIM-DMARC passes.

  4. 4

    DMARC passes if EITHER check passed. Both have to align for DMARC to recover from a single auth failure.

  5. 5

    aspf=r (relaxed, default) accepts subdomain matches; aspf=s (strict) requires exact match. Same for adkim.

Common pitfalls

  • Sending from notifications.brand.com with an SPF record on brand.com but no DMARC entry on notifications. Alignment fails because the receiver looks up DMARC at the subdomain first.

  • Using a third-party sender (Mailchimp, HubSpot) that signs DKIM with its own d= (mailchimp.com) instead of yours. SPF passes for Mailchimp's IPs but neither aligns with your From → DMARC fails. Fix: enable DKIM CNAME-delegation so the d= is your domain.

  • Switching to aspf=s or adkim=s without auditing every ESP. Strict alignment breaks any sender that signs from a sub-zone.

  • Forgetting that DMARC alignment is checked on the visible RFC5322.From, not the friendly display name. Display-name spoofing (alice@evil.com signed as 'Alice From Brand') is NOT what DMARC catches — that's a separate filtering problem.