Skip to content
Chimera readability score 59 out of 100, Graduate reading level.

TLDR: DMARC alignment checks that the domain in your email’s visible “From” address matches the domain that passed SPF or DKIM. DMARC passes if either one aligns, you don’t need both. Alignment has two modes: relaxed, the default, which matches at the organizational-domain level so subdomains count, and strict, which demands an exact domain match.
Your email can pass SPF and DKIM and still fail DMARC. That catches a lot of people off guard, and the reason is alignment.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) alignment checks that the domain your recipients see in the “From” address matches the domain that passed authentication. If the two don’t line up, the message fails DMARC, even when SPF or DKIM technically passed.
This guide covers how alignment works, the difference between strict and relaxed modes, which one is the default, and how to fix the alignment failures that trip up legitimate mail.
For the wider protocol, start with what DMARC is and how it works. This page is about the little piece that decides whether your mail passes.
What is DMARC alignment?
DMARC alignment is the link between authentication and identity. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) both verify that an email came from an authorized source. But on their own, they don’t check that the source matches the name in the “From” line.
Alignment does.
Ultimately, anyone can buy a domain and set up SPF and DKIM for it. Without alignment, an attacker could put your domain in the “From” address, pass SPF and DKIM on their domain behind the scenes, and sail through.
Recipients only see the “From” address, so they’d never spot the mismatch. Alignment closes that gap by requiring the authenticated domain and the visible domain to match.
Note: DMARC passes if SPF or DKIM aligns. You don’t need both. That single “or” is why aligned DKIM is often the foundation of a healthy DMARC setup.
How SPF alignment works
SPF alignment compares two domains:
- The Return-Path domain (the envelope sender, also called the MAIL FROM), which is what SPF actually authenticates.
- The “From” domain, which is what your recipients see.
If those two domains match, SPF is aligned.
SPF authenticates the Return-Path, not the visible “From” address. So SPF can pass while failing alignment, because the two addresses point at different domains.
How DKIM alignment works
DKIM alignment compares the domain in the DKIM signature, the d=
value, against the “From” domain. When you sign a message with DKIM, the signature carries a d=
tag naming the signing domain. If that domain matches the “From” domain, DKIM is aligned.
DKIM alignment has one practical advantage over SPF: it survives forwarding. When a message gets forwarded, the sending IP changes and SPF often breaks, but the DKIM signature travels with the message. As long as the content isn’t modified, aligned DKIM keeps passing.
Strict DMARC alignment vs. relaxed DMARC alignment
DMARC alignment comes in two types: strict and relaxed. Each serves a different purpose, and understanding their nuances is critical to implementing an effective DMARC policy.
-
- Strict Alignment: In strict alignment, an exact match is required between the domains. This means the domain in the “From” address must exactly match the domain validated by SPF and/or DKIM.
-
- Relaxed Alignment: Relaxed alignment, on the other hand, allows for a more lenient matching criterion. It’s satisfied as long as the organizational domains are the same, even if the subdomains differ.
However, it’s a bit more complicated and nuanced than that. Let’s dive deeper into each alignment mode.
| Aspect | Relaxed (default) | Strict |
|---|---|---|
| Domain match | Organizational domain matches; subdomains count | Exact domain match required |
| Set with | aspf=r / adkim=r |
aspf=s / adkim=s |
| Best for | Multiple subdomains, third-party senders, forwarded mail | Domains at high risk of exact-domain impersonation |
| Trade-off | A lookalike subdomain could slip through | Legitimate mail fails if domains don’t match exactly |
Strict DMARC alignment
Strict DMARC alignment is the more rigorous of the two options. It demands an exact match between the domain in the “From” address of the email and the domain authenticated by SPF and/or DKIM. Think of it as a precision lock where only the exact key—the exact domain name—fits. This precision ensures that emails are authenticated most stringently, leaving little room for impersonators to exploit.
Strict alignment is crucial for organizations where security is paramount and the risk of impersonation is high. This includes financial institutions, government entities, and large corporations, especially those that handle sensitive data. In these scenarios, the cost of even a single phishing attack can be substantial, making the strict verification process a necessary safeguard.
-
- Pros: The primary advantage of strict alignment is its enhanced security. It significantly reduces the chances of spoofed or phishing emails getting through, protecting your brand’s integrity and recipients’ trust.
-
- Cons: However, the downside is its inflexibility. It can lead to legitimate emails being rejected or marked as spam if they don’t meet the exact domain match criteria. This can be problematic for organizations with complex email setups or those using various third-party email services.
Relaxed DMARC alignment
Relaxed DMARC alignment offers more flexibility than its strict counterpart. In relaxed alignment, the domain in the “From” address must match the authenticated domain at the organizational level. This means emails sent from a subdomain can still pass DMARC checks even if they don’t match the exact domain used in SPF or DKIM authentication.
Relaxed alignment is suitable for organizations with multiple subdomains or those who use third-party email services for marketing or customer support. It’s ideal for scenarios where strict alignment might be too restrictive and lead to wrongly flagging legitimate emails.
-
- Pros: The main advantage of relaxed alignment is its flexibility. It accommodates a variety of email-sending practices, reducing the likelihood of legitimate emails being rejected.
-
- Cons: The trade-off, however, is that relaxed alignment may allow for a higher risk of spoofed emails slipping through, as it doesn’t require an exact domain match.
Which alignment mode should you use?
For most organizations, relaxed is enough. It gives you real protection while accommodating subdomains, third-party senders, and forwarded mail without generating false positives. Start there.
Reach for strict when you have a specific reason: a domain at high risk of exact-domain impersonation, or a domain where you control every sender and want to lock matching down to the letter. Financial, government, and other high-target senders often run strict on their primary domains.
A few practical rules of thumb:
- Start relaxed, then tighten. Watch your DMARC reports first. Only move a domain to strict once the data shows your legitimate senders align exactly.
- Lean on DKIM for anything that gets forwarded. SPF alignment breaks on forwarding; aligned DKIM holds.
- Set the two modes independently.
aspf
andadkim
are separate. A common setup is strict DKIM with relaxed SPF, since SPF is the harder one to keep aligned across third-party senders.
How to set up your DMARC alignment
Ready to implement your chosen DMARC alignment mode? Here’s how to make it happen in your DMARC record:
1. Set your alignment mode in the DMARC record
The DMARC record includes tags that specify your desired policy and alignment mode.
For SPF alignment, use the “aspf” tag:
-
- aspf=s for strict alignment.
-
- aspf=r for relaxed alignment.
For DKIM alignment, use the “adkim” tag:
-
- adkim=s for strict alignment.
-
- adkim=r for relaxed alignment.
For example, a DMARC record with relaxed SPF and strict DKIM alignment would look like:
v=DMARC1; p=reject; aspf=r; adkim=s;
2. Implement and test your alignment choice
Monitor the impact after updating your DMARC record with the chosen alignment mode. Begin with a less restrictive policy (p=none or p=quarantine) to observe how your emails are processed without affecting deliverability.
Review DMARC reports to see how emails are aligning under your chosen mode. Look for issues like legitimate emails failing DMARC due to alignment problems.
If legitimate emails are rejected under strict alignment, consider switching to relaxed alignment. Conversely, consider tightening to strict alignment if you observe phishing attempts passing through under relaxed alignment.
3. Monitor and make adjustments
DMARC alignment isn’t a set-it-and-forget-it configuration. Continuously monitor DMARC reports to ensure your alignment mode remains effective and adjust as your email practices evolve, or new threats emerge.
FAQs on DMARC alignment
1. What happens if I don’t set up DMARC alignment correctly?
Incorrect DMARC alignment can lead to legitimate emails being marked as spam or phishing emails slipping through, potentially harming your domain’s reputation and email deliverability.
2. Can I switch between strict and relaxed alignment?
Yes, you can switch between alignment modes by updating the aspf and adkim tags in your DMARC record. Regular monitoring is recommended to assess the impact of any changes.
3. How often should I review my DMARC policy?
We recommend you review your DMARC policy at least quarterly. However, more frequent reviews may be necessary if there are changes in your email-sending practices or if you notice any issues in your DMARC reports.
4. Does DMARC alignment affect email deliverability?
Proper DMARC alignment can improve email deliverability by building trust with email receivers. However, incorrect alignment might lead to legitimate emails being rejected or marked as spam.
Accelerate your journey to DMARC enforcement
DMARC alignment is about more than just protecting your domain from spoofing and phishing—it’s about ensuring the integrity and deliverability of every email you send. The journey to robust DMARC enforcement (while intricate) is essential in the digital age where email communication is foundational.
The first step in that journey is setting up your p=none policy and monitoring your senders. However, this can be time-consuming as you comb through confusing XML reports. Valimail Monitor consumes the reports for you and gives you easy-to-read, digestible reports on your sending services.
The best part is that it’s free.
Get global visibility into all senders using your domain. Expose non-authorized sending services with our unmatched discovery of email services.
Whether you’re an IT professional safeguarding your organization’s email program or an email marketer aiming to maintain your brand’s reputation and trust, we’re here to help. Monitor takes the hard work out of setting up your DMRC policy.
Don’t let the complexities of DMARC alignment hold you back. Start the journey with Monitor and transform your email authentication strategy from a challenge into an asset.

Facts Only

* DMARC checks if the visible "From" address domain matches the domain authenticated by SPF or DKIM.
* Alignment modes are strict and relaxed.
* Strict alignment requires an exact domain match.
* Relaxed alignment allows organizational domains to match, counting subdomains.
* SPF alignment compares the Return-Path domain with the "From" domain.
* DKIM alignment compares the signing domain in the signature (d=) with the "From" domain.
* DMARC passes if SPF or DKIM aligns.
* Strict alignment offers enhanced security by demanding exact domain matches.
* Relaxed alignment offers flexibility, accommodating subdomains and third-party senders.

Executive Summary

DMARC alignment checks whether the domain visible to recipients in the "From" address matches the domain that passed SPF or DKIM authentication. If these domains do not match, the message fails DMARC, even if SPF or DKIM technically pass. Alignment can operate in two modes: strict and relaxed. Strict alignment requires an exact domain match, whereas relaxed alignment allows for matching at the organizational domain level, counting subdomains. DMARC passes if either SPF or DKIM aligns; only one needs to align. SPF alignment compares the Return-Path domain (MAIL FROM) with the "From" domain. DKIM alignment compares the signing domain in the signature with the "From" domain, and DKIM alignment is advantageous for forwarded mail as it survives forwarding while SPF alignment does not.

Full Take

The structure of DMARC alignment forces a critical decision between absolute security (strict) and operational flexibility (relaxed). The fact that SPF alignment fails during forwarding while DKIM alignment persists highlights a systemic imbalance in how the two protocols handle domain identity across different messaging pathways, suggesting an architectural divergence in their trust models. The existence of two distinct alignment modes—one demanding precise identity and the other prioritizing reachability—forces organizations to navigate the trade-off between preventing sophisticated impersonation and ensuring mass email deliverability, which often requires prioritizing relaxed settings initially. The recommendation to start with relaxed alignment and tighten only after data review suggests a pattern where operational necessity precedes perfect security enforcement. This dynamic implies that an unaligned system is not merely a technical error but a reflection of friction between identity verification mechanisms and the practical realities of modern, distributed email sending infrastructure. When trust relies on authentication signals, the choice of strictness becomes a negotiation between defensive posture and functional utility.

Sentinel — Human

Confidence

The text reads like high-quality, technically accurate instructional writing, demonstrating a human understanding of the protocol dynamics and the necessary trade-offs between security and deliverability.

Signals Detected
low severity: Slight variance in sentence structure; clear instructional tone mixed with deeper technical exposition.
low severity: Highly focused explanation of a complex protocol (DMARC alignment) with logical flow and necessary contextual nuance.
low severity: Structured presentation using definitions, comparisons (table), and step-by-step instructions; clear argument structure.
low severity: Technical accuracy regarding SPF, DKIM, alignment modes, and the relationship between them appears correct and derived from established protocol knowledge.
Human Indicators
The use of specific, nuanced trade-offs (e.g., relaxed vs. strict alignment, SPF breakdown vs. DKIM survival during forwarding) demonstrates domain expertise beyond simple pattern repetition.
The concluding call to action shifts from purely technical advice to a marketing/tool recommendation, which is characteristic of human-driven content aiming for engagement.
DMARC alignment: strict vs relaxed (what’s the difference?) — Arc Codex