SPF alignment checks whether the domain in the Return-Path matches the domain in the From header. Relaxed alignment (aspf=r) requires only the organizational domain to match—mail.example.com aligns with example.com. Strict alignment (aspf=s) requires an exact domain match. Most setups use relaxed alignment because it accommodates subdomains and third-party senders.
SPF Alignment in DMARC: Relaxed vs Strict Explained
How SPF Alignment Works
DMARC doesn't just check if SPF passes—it checks if SPF aligns with your From header domain.
The alignment check:
- Which domain passed SPF? (the Return-Path domain)
- Does that domain match the From header domain?
If they match (under relaxed or strict rules), SPF alignment passes. If not, it fails—even if SPF itself passed.
Return-Path vs From Domain
When you send email, two domains matter for SPF alignment:
From header (visible to recipient):
From: [email protected]
Return-Path (hidden, used for bounces):
Return-Path: [email protected]
SPF validates the Return-Path domain. DMARC alignment checks if that domain matches your From domain.
In this example:
- SPF passes (sendgrid.net is authorized to send)
- SPF alignment fails (sendgrid.net ≠ example.com)
Relaxed vs Strict Alignment
Relaxed Alignment (aspf=r)
Domains must share the same organizational domain. Subdomains count as matching.
| Return-Path | From | Aligned? |
|---|---|---|
| bounce.example.com | example.com | Yes |
| example.com | mail.example.com | Yes |
| sendgrid.net | example.com | No |
Relaxed alignment is the default if you don't specify aspf= in your DMARC record.
Strict Alignment (aspf=s)
Domains must match exactly.
| Return-Path | From | Aligned? |
|---|---|---|
| bounce.example.com | example.com | No |
| example.com | example.com | Yes |
| mail.example.com | mail.example.com | Yes |
To enable strict alignment:
v=DMARC1; p=reject; aspf=s; rua=mailto:[email protected]
Practitioner note: I've never recommended strict SPF alignment to a client. Relaxed handles legitimate use cases (subdomains, ESP bounce handling) without sacrificing security. Strict causes problems with no real benefit.
Why SPF Alignment Fails
Cause 1: ESP Uses Their Own Return-Path
Most ESPs use their domain for bounce handling by default:
From: [email protected]
Return-Path: [email protected]
SPF passes for esp.example.net, but doesn't align with yourdomain.com.
Fix: Configure a custom Return-Path domain (also called custom bounce domain or custom envelope domain). Most ESPs support this:
- SendGrid: Sender Authentication → Link Branding
- Mailgun: Domain settings → Bounce tracking domain
- Postmark: Sender Signatures → Return-Path
- Mailchimp: Email Domain Authentication
Cause 2: Subdomain Mismatch with Strict Alignment
If you're using strict alignment (aspf=s):
From: [email protected]
Return-Path: [email protected]
This fails strict alignment even though both are under example.com.
Fix: Switch to relaxed alignment (aspf=r) or ensure exact domain match.
Cause 3: Third-Party Sender
Services like Calendly, Typeform, or your CRM might send as your domain but use their own Return-Path:
From: [email protected]
Return-Path: [email protected]
Fix: Either:
- Configure custom Return-Path if the service supports it
- Rely on DKIM alignment instead (DMARC passes if either SPF or DKIM aligns)
Checking Your Alignment
Email Headers
Open an email and find the headers. Look for:
Authentication-Results: mx.google.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com;
spf=pass (google.com: domain of [email protected] designates 192.0.2.1 as permitted sender) smtp.mailfrom=mail.example.com
spf=passmeans SPF workedsmtp.mailfrom=mail.example.comshows the Return-Path domainheader.from=example.comshows the From domain
If smtp.mailfrom organizational domain matches header.from organizational domain → aligned (relaxed).
DMARC Reports
Your aggregate reports show alignment results:
<policy_evaluated>
<spf>pass</spf>
<dkim>pass</dkim>
</policy_evaluated>
<auth_results>
<spf>
<domain>mail.example.com</domain>
<result>pass</result>
</spf>
</auth_results>
If <spf>pass</spf> under policy_evaluated, SPF alignment passed. If fail, it didn't align despite the raw SPF passing.
Practitioner note: The most common confusion I see is "SPF passes but DMARC fails." Nine times out of ten, it's an alignment issue—the ESP's Return-Path doesn't match your From domain. Check the Return-Path first.
When DKIM Alignment Saves You
DMARC passes if either SPF or DKIM aligns. If your ESP can't support custom Return-Path but does support custom DKIM signing:
- SPF might pass but not align
- DKIM passes and aligns (signed with your domain)
- DMARC passes via DKIM alignment
This is why DKIM is often more reliable for third-party senders than SPF.
Configuring Alignment in DMARC
Set alignment mode in your DMARC record:
v=DMARC1; p=reject; aspf=r; adkim=r; rua=mailto:[email protected]
aspf=r— Relaxed SPF alignment (default)aspf=s— Strict SPF alignmentadkim=r— Relaxed DKIM alignment (default)adkim=s— Strict DKIM alignment
For the complete SPF setup process, see the SPF setup guide. For understanding the Return-Path and how it affects alignment, see what is the Return-Path. For the DMARC side of alignment, see DMARC alignment explained. If you're struggling with alignment issues across multiple senders, schedule a consultation and I'll audit your authentication setup and configure proper Return-Path domains.
Sources
- RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- dmarcian: DMARC Alignment
- Google: About DMARC Alignment
- Microsoft: How email authentication works in Microsoft 365
v1.0 · March 2026
Frequently Asked Questions
What is SPF alignment in DMARC?
SPF alignment checks if the domain that passed SPF (Return-Path domain) matches the From header domain. If they don't match, DMARC fails the SPF alignment check even if SPF itself passed.
What's the difference between relaxed and strict SPF alignment?
Relaxed (aspf=r) allows subdomains—bounce.example.com aligns with example.com. Strict (aspf=s) requires exact match—bounce.example.com doesn't align with example.com. Relaxed is the default.
Why is my SPF passing but DMARC failing?
Your Return-Path domain doesn't align with your From domain. Common cause: ESP uses their own Return-Path domain. Fix by setting up a custom Return-Path domain that matches your From domain's organizational domain.
Should I use relaxed or strict SPF alignment?
Use relaxed (aspf=r) unless you have a specific security reason for strict. Relaxed accommodates legitimate subdomains and most ESP configurations. Strict can cause unnecessary failures.
How do I check SPF alignment?
Look at email headers. Compare the Return-Path domain to the From domain. Use dmarcian's header analyzer or check DMARC aggregate reports for alignment results.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.