DMARC Organizational vs Relaxed Alignment Explained

How Alignment Works

DMARC doesn't just check if SPF or DKIM pass — it checks whether the authenticated domain matches the From header domain. This matching is called alignment.

Two alignment modes exist for each mechanism:

Mode	Tag	SPF Behavior	DKIM Behavior
Relaxed (default)	aspf=r / adkim=r	Return-Path domain shares organizational domain with From	DKIM d= domain shares organizational domain with From
Strict	aspf=s / adkim=s	Return-Path domain exactly matches From domain	DKIM d= domain exactly matches From domain

Relaxed Alignment in Practice

With relaxed alignment, these all align with a From address of [email protected]:

• SPF: Return-Path of [email protected] — passes (same organizational domain)
• DKIM: d=em.example.com — passes (same organizational domain)
• DKIM: d=example.com — passes (exact match)

This is why relaxed is the default. ESPs like SendGrid, Mailgun, and Postmark typically use a subdomain for DKIM signing and bounce handling.

Strict Alignment in Practice

With strict alignment, only exact matches work:

• SPF: Return-Path must be exactly [email protected] (not a subdomain)
• DKIM: d= must be exactly example.com (not em.example.com)

Strict alignment blocks subdomain-based spoofing but breaks most ESP configurations out of the box.

Practitioner note: I've only recommended strict alignment twice in hundreds of engagements — both were financial institutions with in-house mail servers. For everyone using ESPs, relaxed alignment is the right call.

When Strict Alignment Makes Sense

Strict alignment is appropriate when:

• You control all sending infrastructure (no third-party ESPs)
• You need to prevent subdomain spoofing specifically
• You're in a regulated industry with explicit requirements
• All your DKIM signing uses the exact organizational domain

Configuring Alignment

Your DMARC record controls alignment with two tags:

v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:[email protected]

You can mix modes. A common configuration for tighter security without breaking ESP compatibility:

v=DMARC1; p=reject; adkim=r; aspf=s; rua=mailto:[email protected]

This uses relaxed DKIM alignment (allows ESP subdomains) but strict SPF alignment.

Practitioner note: If you're investigating DMARC failures and everything looks correct, check your alignment mode. I've seen people set adkim=s without realizing their ESP signs with a subdomain. One tag change fixed months of failures.

The Organizational Domain

The "organizational domain" is the registrable domain — the part you bought from a registrar. For mail.marketing.example.com, the organizational domain is example.com. Relaxed alignment compares at this level.

This means newsletter.example.com and billing.example.com both align with example.com under relaxed mode. If that's a concern for your security posture, strict alignment prevents it.

If you're unsure which alignment mode is right for your sending setup, get an audit — misconfigured alignment is one of the most common causes of unexpected DMARC failures.

Sources

• RFC 7489 Section 3.1: Identifier Alignment
• RFC 7489 Section 6.3: Policy Discovery
• Google: DMARC Alignment
• dmarcian: DMARC Alignment

---

v1.0 · April 2026