DMARC alignment checks whether the authenticated domain matches the organizational domain in the From header. Relaxed alignment allows any subdomain under the same organizational domain to align — mail.example.com aligns with example.com. Strict alignment requires an exact match. The default is relaxed, which works for most configurations.
DMARC Organizational vs Relaxed Alignment
What Organizational Domain Means
The organizational domain is the registered domain — the part you bought from a registrar. For [email protected], the organizational domain is example.com.
DMARC uses the Public Suffix List to determine this. It knows that co.uk is a public suffix, so mail.example.co.uk has the organizational domain example.co.uk.
Relaxed Alignment (Default)
With relaxed alignment, any subdomain under the same organizational domain aligns:
| Authenticated Domain | From Domain | Aligns? |
|---|---|---|
| example.com | example.com | Yes |
| bounce.example.com | example.com | Yes |
| mail.example.com | example.com | Yes |
| example.com | mail.example.com | Yes |
| otherdomain.com | example.com | No |
This is the default for both aspf= and adkim= tags. If you don't specify them, relaxed is used.
Practitioner note: Relaxed alignment is the right choice for 95% of setups. Most ESPs use subdomains for sending — custom Return-Path addresses at
bounce.yourdomain.com, DKIM signing atmail.yourdomain.com. Strict alignment breaks these.
Strict Alignment
With strict alignment, only exact domain matches count:
| Authenticated Domain | From Domain | Aligns? |
|---|---|---|
| example.com | example.com | Yes |
| bounce.example.com | example.com | No |
| mail.example.com | example.com | No |
Set strict alignment in your DMARC record:
v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:[email protected]
When Strict Alignment Makes Sense
Strict alignment prevents subdomain spoofing. Without it, an attacker who controls any subdomain could send email that aligns with your organizational domain.
Use strict when:
- Regulatory compliance requires it (finance, healthcare)
- You need to prevent subdomain-based phishing
- All your sending services use your exact root domain
Practitioner note: I've only configured strict alignment for banks and healthcare organizations. The compliance requirement is real in those sectors. For everyone else, the operational headache isn't worth the marginal security improvement.
Setting Up Alignment
Control alignment with two DMARC tags:
| Tag | Controls | Values |
|---|---|---|
aspf | SPF alignment mode | r (relaxed, default) or s (strict) |
adkim | DKIM alignment mode | r (relaxed, default) or s (strict) |
You can mix them — strict DKIM and relaxed SPF, for example. This is useful if you want DKIM's domain to exactly match but you're okay with SPF subdomain flexibility.
For more detail on how alignment works in practice, see the full DMARC alignment guide.
If you need help determining the right alignment configuration for your domain, I can review your sending infrastructure and recommend the optimal setup.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC), Section 3.1
- Public Suffix List: publicsuffix.org
- dmarcian: Understanding alignment
- M3AAWG: DMARC Training Series
v1.0 · April 2026
Frequently Asked Questions
What is organizational domain alignment in DMARC?
Organizational domain alignment means the authenticated domain (from SPF or DKIM) shares the same registered domain as the From address. Subdomains under the same parent count as aligned in relaxed mode.
What's the difference between relaxed and strict?
Relaxed allows subdomain matching (bounce.example.com aligns with example.com). Strict requires exact domain match (only example.com aligns with example.com).
Which should I use — relaxed or strict?
Use relaxed (the default) unless you need to prevent subdomain spoofing for compliance reasons. Strict breaks many legitimate ESP configurations.
How does DMARC determine the organizational domain?
DMARC uses the Public Suffix List to determine the organizational domain. For [email protected], the organizational domain is example.com.
Can I set different alignment modes for SPF and DKIM?
Yes. Use aspf=r/s for SPF alignment and adkim=r/s for DKIM alignment. You can mix modes — for example, strict DKIM and relaxed SPF.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.