Skip to content
DDMARC

DMARC Alignment Explained

Understand DMARC alignment — how SPF and DKIM domain alignment determines whether emails pass DMARC checks.

What is DMARC Alignment?

DMARC alignment is the requirement that the domain in the email's From header matches the domain authenticated by SPF or DKIM. This is what prevents attackers from using legitimate third-party infrastructure to spoof your domain — they may be able to pass SPF or DKIM for their own domain, but they cannot align those results to your From address.

DMARC requires at least one of SPF or DKIM to both pass and align with the From domain. Passing authentication alone is not enough.

How Alignment Works

There are two alignment checks DMARC performs:

  • SPF alignment: The domain in the SMTP envelope MAIL FROM (also called the Return-Path) must match the RFC5322 From header domain.
  • DKIM alignment: The d= domain in the DKIM signature must match the RFC5322 From header domain.

If either alignment check passes alongside its corresponding authentication result, the message passes DMARC.

Relaxed vs Strict Alignment Modes

DMARC supports two alignment modes, configured separately for SPF and DKIM in your DMARC record using the aspf and adkim tags:

  • Relaxed (default): The Organizational Domain must match. This means subdomains are allowed. For example, if your From address is you@example.com, a DKIM signature from mail.example.com would align because both share the organizational domain example.com.
  • Strict: An exact domain match is required. A DKIM signature from mail.example.com would NOT align with a From address of you@example.com.

Example DMARC record with strict DKIM alignment and relaxed SPF alignment:

v=DMARC1; p=reject; adkim=s; aspf=r; rua=mailto:dmarc@example.com

Why Alignment Matters

Without alignment, an attacker could send email from a server that legitimately passes SPF for attacker.com while using your domain in the From header. The receiving mail server would see a valid SPF pass but no alignment — and DMARC would catch this and apply your policy (quarantine or reject).

This is the core anti-spoofing mechanism of DMARC. It closes the gap that exists when SPF and DKIM are deployed without a policy layer.

Common Alignment Failures

  • Third-party senders: Email service providers (ESPs) like Mailchimp or MXPaw use their own domains in the MAIL FROM by default. You need to configure a custom Return-Path on your sending domain, or ensure DKIM is signed with your domain.
  • Email forwarding: When a mailbox forwards an email, the original SPF domain no longer matches and the DKIM signature may be broken if the message body is modified. ARC (Authenticated Received Chain) was designed to address this.
  • Subdomain mismatches with strict mode: If you use strict alignment and send from marketing@emails.example.com with a From domain of example.com, DKIM alignment will fail under strict mode.
  • Misconfigured DKIM selectors:If your ESP signs with a domain you don't control, alignment will always fail for DKIM regardless of mode.

How to Set Up Proper Alignment

For each email stream you send, confirm the following:

  • Configure your ESP or mail server to sign outbound email with DKIM using your own domain (e.g., example.com).
  • If relying on SPF alignment, ensure the Return-Path domain matches your From domain. Many ESPs support custom bounce domains for this.
  • Start with relaxed alignment (the default) to maximize compatibility with subdomains and delegated senders.
  • Monitor your DMARC aggregate reports to identify sources with alignment failures before enforcing a quarantine or reject policy.

Frequently Asked Questions

Does DMARC require both SPF and DKIM to align?

No. DMARC passes if either SPF or DKIM passes authentication and aligns with the From domain. You only need one to succeed, though having both configured provides redundancy and better deliverability.

What alignment mode should I use?

Relaxed alignment is the recommended default for most organizations. It accommodates legitimate subdomain senders and is less likely to cause false failures. Use strict alignment only if you have tight control over all sending infrastructure and need maximum enforcement.

Can a message pass SPF but fail DMARC alignment?

Yes. A message can pass SPF (the MAIL FROM domain has a valid SPF record and the sending IP is authorized) but still fail DMARC if the MAIL FROM domain does not align with the From header domain. This is common with forwarded email or bulk senders using shared infrastructure.

Related Articles

What is DMARC?

Learn how DMARC protects your domain from email spoofing and phishing attacks with policy-based authentication.

Core Concept

What is SPF?

Understand Sender Policy Framework (SPF) and how it authorizes mail servers to send email on behalf of your domain.

Core Concept

What is DKIM?

Learn how DomainKeys Identified Mail (DKIM) uses cryptographic signatures to verify email authenticity.

Core Concept
Start protecting your domain today

Ready to secure your email?

Start monitoring your DMARC reports today. Free 14-day trial, no credit card required.

Get Started FreeContact Sales