DMARC alignment means the domain in SPF or DKIM must match the From header domain. SPF alignment checks the Return-Path domain against the From domain. DKIM alignment checks the d= domain in the DKIM signature against the From domain. At least one must align for DMARC to pass. Relaxed alignment allows subdomain matches; strict requires exact domain matches.
DMARC Alignment: SPF Alignment vs DKIM Alignment
How DMARC Alignment Works
DMARC doesn't just check whether SPF or DKIM pass. It checks whether they pass and align with the domain in your From header. This is what makes DMARC effective — without alignment, a spoofer could pass SPF with their own domain while faking your From address.
The logic:
- Does SPF pass and does the Return-Path domain align with the From domain? OR
- Does DKIM pass and does the d= domain align with the From domain?
If either is true, DMARC passes. Both failing means DMARC fails.
SPF Alignment
SPF alignment compares the Return-Path (envelope sender) domain with the From header domain.
| Return-Path | From | Relaxed | Strict |
|---|---|---|---|
| [email protected] | [email protected] | Pass | Pass |
| [email protected] | [email protected] | Pass | Fail |
| [email protected] | [email protected] | Fail | Fail |
The third row is why many ESP setups fail SPF alignment — the ESP uses their own domain as the Return-Path. This is normal, and it's why DKIM alignment matters.
DKIM Alignment
DKIM alignment compares the d= tag in the DKIM-Signature header with the From header domain.
| DKIM d= | From | Relaxed | Strict |
|---|---|---|---|
| d=example.com | [email protected] | Pass | Pass |
| d=mail.example.com | [email protected] | Pass | Fail |
| d=sendgrid.net | [email protected] | Fail | Fail |
Practitioner note: This is why I push every client to set up custom DKIM with their ESP. Without it, the ESP signs with their own domain (d=sendgrid.net, d=mailchimp.com) and DKIM alignment fails. Custom DKIM makes d= match your From domain.
Setting Alignment Mode
Your DMARC record controls alignment with the aspf and adkim tags:
v=DMARC1; p=quarantine; aspf=r; adkim=r; rua=mailto:[email protected]
| Tag | Value | Meaning |
|---|---|---|
| aspf=r | Relaxed SPF alignment | Subdomains OK (default) |
| aspf=s | Strict SPF alignment | Exact match required |
| adkim=r | Relaxed DKIM alignment | Subdomains OK (default) |
| adkim=s | Strict DKIM alignment | Exact match required |
If you omit these tags, both default to relaxed. This is correct for most setups.
When to Use Strict Alignment
Strict alignment makes sense when:
- You need to prevent subdomain spoofing
- All your sending services use your exact root domain
- Compliance requirements demand it
Strict alignment breaks DMARC for:
- ESPs that use subdomains for sending (e.g.,
bounce.yourdomain.com) - Services that DKIM-sign with a subdomain
- Any sender not exactly matching your From domain
Practitioner note: I've only recommended strict alignment for clients in finance and healthcare where subdomain spoofing is a real regulatory concern. For everyone else, relaxed alignment is safer and works with standard ESP configurations.
Fixing Alignment Failures
If your DMARC reports show alignment failures:
- Identify the sender from the report
- Check the Return-Path for SPF alignment issues
- Check the d= domain for DKIM alignment issues
- Configure custom authentication — set up custom DKIM or custom Return-Path in the ESP
- Verify with a test email — check headers for alignment
If you're seeing alignment failures across multiple senders and need help untangling which service needs what, book a consultation and I'll map every sending path.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC), Section 3.1
- dmarcian: DMARC Alignment
- Google: About DMARC alignment
- M3AAWG: DMARC Training Series
v1.0 · April 2026
Frequently Asked Questions
What is DMARC alignment?
Alignment means the authenticated domain (from SPF or DKIM) matches the visible From address domain. DMARC requires at least one — SPF or DKIM — to align for the message to pass.
What's the difference between relaxed and strict alignment?
Relaxed alignment allows subdomains to match the parent domain (mail.example.com aligns with example.com). Strict requires exact domain match (only example.com aligns with example.com).
Which alignment mode should I use?
Use relaxed (the default) unless you have a specific reason for strict. Most ESPs send from subdomains, and strict alignment would break DMARC for those messages.
Can DMARC pass with only DKIM alignment?
Yes. DMARC passes if either SPF or DKIM aligns. You don't need both. DKIM-only alignment is common and perfectly valid.
Why is my DMARC failing even though SPF passes?
SPF passing isn't enough — it must also align. If SPF authenticates the Return-Path domain but that domain doesn't match your From address, SPF alignment fails.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.