Skip to main content
Relaymetry

DMARC alignment: relaxed vs strict, adkim and aspf

DMARC alignment is the test that decides whether a passing SPF or DKIM result actually counts for your domain. DMARC authenticates the domain a reader sees in the From: header by requiring it to match a domain that SPF or DKIM already authenticated (RFC 7489 section 3.1). Relaxed mode (the default) accepts any subdomain of the same Organizational Domain; strict mode demands an exact match. The adkim and aspf tags set each mode, and one aligned mechanism is enough to pass.

Quick answer

Your SPF check passed, your DKIM signature verified, and DMARC still failed. That is not a contradiction. DMARC does not ask whether SPF or DKIM passed. It asks whether the identity they authenticated is the same domain a reader sees in the From: header. That second test is called identifier alignment (RFC 7489 §3.1).

A message passes DMARC when at least one of SPF or DKIM produces a pass and that pass is on an identifier that aligns with the RFC5322.From domain. One aligned mechanism is enough, so you never need both to align. But a passing mechanism that is not aligned counts for nothing, which is exactly how SPF passes while DMARC fails.

What alignment actually compares

DMARC authenticates the RFC5322.From domain, the one your mail client displays. SPF and DKIM each authenticate a different identity, so alignment is the step that ties their result back to the visible sender:

  • DKIM authenticates the domain in the signature's d= tag. Alignment compares that d= domain against the From domain (RFC 7489 §3.1.1). See DKIM selectors and keys for where d= comes from.
  • SPF authenticates the envelope sender, the RFC5321.MailFrom address, also called the return-path or bounce address. Alignment compares that envelope domain against the From domain (RFC 7489 §3.1.2).

The envelope sender and the From: header are two separate addresses that only look the same when you send your own mail directly. The moment a platform sends on your behalf, they usually diverge, and that gap is where alignment does its work.

Relaxed vs strict, and the adkim and aspf tags

Two tags in your DMARC record choose how forgiving the comparison is: adkim for the DKIM path and aspf for the SPF path. Each takes one of two values, and both default to relaxed when the tag is absent (RFC 7489 §6.3).

TagValueModeWhat has to match
adkim / aspfr (default)relaxedthe same Organizational Domain (subdomains align)
adkim / aspfsstrictan exact match of the full domain name

In relaxed mode, mail.example.com aligns with example.com because they share the Organizational Domain example.com. In strict mode the two fully qualified names must be identical, so mail.example.com would not align with example.com (RFC 7489 §3.1.1). A record that demands strict on both paths looks like this:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc@example.com

Strict is not "more secure" in a way that helps most senders. It mainly breaks subdomains and shared infrastructure that would have been fine under relaxed. The alignment mode is independent of the DMARC policy mode (p=none, p=quarantine, p=reject), which is a separate decision about what a receiver does once alignment has been judged.

How the Organizational Domain is determined

Relaxed alignment hinges on the Organizational Domain, so it has to be defined precisely. DMARC uses a Public Suffix List: it takes the public suffix (a registry-controlled part such as com, co.uk, or pvt.k12.ma.us) and adds the one label immediately above it (RFC 7489 §3.2).

  • mail.marketing.example.com reduces to example.com.
  • example.co.uk reduces to example.co.uk, because co.uk is the public suffix.

Both a From domain and an authenticated domain reduce this way, and relaxed alignment passes when the two reduced Organizational Domains are equal. This is why any subdomain of your organizational domain aligns under relaxed, and why choosing the wrong registrable boundary (treating co.uk as if uk were the suffix) would produce the wrong answer.

Why SPF passes but DMARC still fails

The paradox in the opening almost always traces to one of three shapes. Each has its own detailed walkthrough, so this page names the cause and points you at the fix:

  • SPF authenticated the platform's bounce domain, not yours. The envelope RFC5321.MailFrom is on the sender's domain while your From: is on yours, so SPF passes but is not aligned. This is return-path misalignment.
  • DKIM verified, but signed with the wrong d=. The signature is valid yet its d= domain is not your From domain, so DKIM passes without aligning. This is the DKIM-passes-but-DMARC-fails case.
  • A third-party sender can only align under relaxed, and you set strict. adkim=s or aspf=s rejects a subdomain or shared-domain result that relaxed would have accepted. See when DMARC is too strict for a third-party sender.

To see which identities actually aligned on a live domain, run a lookup with the DMARC checker. For how alignment sits inside the wider SPF plus DKIM plus DMARC picture, including the full pass/fail matrix, start from email authentication explained.

Frequently asked questions

What is DMARC alignment?

Identifier alignment is the test DMARC adds on top of SPF and DKIM. DMARC authenticates the domain a reader sees in the From header (RFC5322.From) by requiring that it match, or align with, a domain that SPF or DKIM already authenticated (RFC 7489 section 3.1). A message passes DMARC when at least one of SPF or DKIM produces a pass AND that pass is on an identifier that aligns with the From domain. One aligned mechanism is enough; you do not need both.

What is the difference between relaxed and strict alignment?

Relaxed alignment (the default) passes when the two domains share the same Organizational Domain, so a subdomain such as mail.example.com aligns with example.com. Strict alignment requires an exact match of the fully qualified domain names, so mail.example.com would not align with example.com (RFC 7489 sections 3.1.1 and 3.1.2). Relaxed is more forgiving of subdomains and shared infrastructure; strict is narrower.

Why does SPF pass but DMARC fail?

SPF authenticates the envelope sender (the RFC5321.MailFrom, also called the return-path or bounce address), not the visible From header. Many senders, especially email platforms, use their own bounce domain in the envelope. SPF can pass for that envelope domain and still fail DMARC alignment, because the envelope domain is not the same as the From domain (RFC 7489 section 3.1.2). The fix is either a return-path on your own domain or a valid aligned DKIM signature.

What do adkim and aspf mean?

They are the two DMARC-record tags that set alignment mode. adkim sets DKIM alignment mode and aspf sets SPF alignment mode. Each takes r for relaxed or s for strict, and both default to r (relaxed) when the tag is absent (RFC 7489 section 6.3). For example, adkim=s;aspf=s in your DMARC record requires exact-match alignment on both mechanisms.

How is the Organizational Domain determined?

DMARC uses a Public Suffix List to find the Organizational Domain: it takes the registered domain, which is the public suffix (such as com or co.uk) plus the one label above it (RFC 7489 section 3.2). So a.b.example.com and mail.example.com both reduce to the Organizational Domain example.com. Relaxed alignment compares these Organizational Domains, which is why subdomains align under relaxed but not under strict.

Other SPF, DKIM & DMARC reference pages

References

Browse all guides →