DMARC Alignment Explained: Relaxed vs. Strict, adkim and aspf

If you have looked at a DMARC record and wondered what the adkim and aspf tags actually do, you are in the right place. These tags control something called alignment, and alignment is the reason DMARC is more effective than SPF or DKIM alone. Understanding it helps you avoid authentication failures and choose the right settings for your domain.

This guide explains what DMARC alignment means, how relaxed and strict modes differ, and when you should use each one.

What Is DMARC Alignment?

Alignment is the mechanism DMARC uses to connect the domain a recipient sees in the "From" header with the domains used in SPF and DKIM checks. Without alignment, an attacker could pass SPF using their own domain's servers while spoofing your domain in the "From" address. DMARC closes that gap. For a broader view of how SPF, DKIM, and DMARC each contribute to authentication, see our SPF vs DKIM vs DMARC comparison.

When a mail server receives a message, it checks two things. First, does the message pass SPF or DKIM? Second, does the domain used in the passing check match the domain in the "From" header? That second check is alignment.

For DMARC to pass, the message needs at least one of the following: SPF passes and the SPF domain aligns with the "From" domain, or DKIM passes and the DKIM signing domain aligns with the "From" domain. If neither check both passes and aligns, DMARC fails.

The Two Alignment Modes

DMARC offers two alignment modes: relaxed and strict. These modes determine how closely the authenticated domain must match the "From" domain.

Relaxed Alignment (the Default)

Relaxed alignment requires that the organizational domain matches. The organizational domain is the registered domain -- the part you bought from a registrar. Subdomains are allowed to differ.

With relaxed alignment, if your "From" address is newsletter@example.com, then SPF or DKIM authentication from mail.example.com, bounce.example.com, or just example.com would all align. The organizational domain example.com is the same in every case.

Here is a practical example:

From: sales@example.com
DKIM signing domain: mail.example.com
SPF domain: bounce.example.com

Under relaxed alignment, both DKIM and SPF align because all three share the organizational domain example.com. This is the default behavior and works well for most businesses.

Strict Alignment

Strict alignment requires an exact domain match. The domain in the SPF or DKIM check must be identical to the domain in the "From" header. Subdomains do not count.

Using the same example:

From: sales@example.com
DKIM signing domain: mail.example.com
SPF domain: bounce.example.com

Under strict alignment, neither DKIM nor SPF aligns. The DKIM domain mail.example.com does not exactly match example.com, and the SPF domain bounce.example.com does not either. DMARC would fail even though both SPF and DKIM technically passed their own checks.

For strict alignment to work here, the DKIM signing domain would need to be exactly example.com, and the SPF return-path domain would also need to be exactly example.com.

The adkim and aspf Tags

You control alignment mode using two tags in your DMARC record: adkim for DKIM alignment and aspf for SPF alignment. Each tag accepts one of two values:

• r -- Relaxed alignment (the default if the tag is omitted)
• s -- Strict alignment

Here is a DMARC record using both tags:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=r; aspf=s;

This record uses relaxed alignment for DKIM but strict alignment for SPF. You can mix and match based on your needs. If you leave both tags out entirely, the default is relaxed for both.

When to Use Relaxed Alignment

Relaxed alignment is the right choice for most organizations. Here is why:

Third-party email services use subdomains. When you send through a service like Mailchimp, SendGrid, or HubSpot, those services often sign DKIM using a subdomain like em1234.example.com or use a return-path like bounce.example.com. These pass relaxed alignment because they share your organizational domain. Strict alignment would fail them.

Google Workspace and Microsoft 365 default to relaxed. If you use either of these platforms, DKIM signing may use a selector subdomain. Relaxed alignment handles this without any extra configuration.

It covers most legitimate sending scenarios. Unless you have a specific security requirement, relaxed alignment gives you strong protection without the risk of breaking legitimate mail.

When to Use Strict Alignment

Strict alignment is less common but has valid use cases:

You want maximum spoofing protection. Strict alignment prevents an attacker from sending email through a subdomain they control (like attacker.example.com if they compromised a subdomain) and passing DMARC. This is an edge case, but it matters for high-security environments.

Compliance or regulatory requirements. Some industries or certifications require strict alignment. Financial institutions and government agencies may mandate it as part of their email security policies.

You control all your sending infrastructure. If every email source signs DKIM with your exact domain and uses your exact domain in the return-path, strict alignment adds an extra layer of precision. This is most common among developer teams running self-hosted email or organizations with fully managed infrastructure.

What Happens When Alignment Fails

When alignment fails, DMARC fails -- even if SPF or DKIM passed on their own. What happens to the message depends on your DMARC policy:

• p=none -- The message is delivered normally, but you receive a report showing the failure.
• p=quarantine -- The message is sent to the recipient's spam folder.
• p=reject -- The message is blocked entirely.

Alignment failures are one of the most common causes of unexpected DMARC failures. A typical scenario looks like this: you set up SPF and DKIM for a third-party sender, both checks pass, but the sending service uses a different subdomain for the return-path or DKIM signature. SPF passes but does not align. DKIM passes but does not align. DMARC fails.

The fix is usually to configure the third-party service to use your exact domain for signing or to make sure you are using relaxed alignment (which is the default). Developers integrating third-party senders should verify alignment in staging before going live.

Practical Examples

Here are several real-world scenarios showing how alignment works.

Scenario 1: Google Workspace with relaxed alignment. You send from you@example.com. Google signs DKIM with example.com using your configured selector. SPF passes from Google's servers for example.com. Both align under relaxed mode. DMARC passes.

Scenario 2: Marketing tool with relaxed alignment. You send a newsletter from news@example.com. The marketing tool signs DKIM with em5678.example.com and uses a return-path of bounce.example.com. Under relaxed alignment, both the DKIM domain and SPF domain share the organizational domain example.com. DMARC passes.

Scenario 3: Marketing tool with strict alignment. Same setup as above, but your DMARC record has adkim=s; aspf=s;. Now the DKIM domain em5678.example.com does not exactly match example.com, and the return-path domain bounce.example.com does not either. DMARC fails, and depending on your policy, the newsletter goes to spam or gets rejected.

Scenario 4: Forwarded email. Someone receives your email and forwards it. The forwarding server changes the envelope sender, breaking SPF. If the original DKIM signature survives forwarding (which it usually does), DKIM still passes. Under relaxed alignment, DMARC passes because of the surviving DKIM signature and domain alignment.

Recommended Settings

For most businesses, the recommended approach is straightforward:

• Leave adkim and aspf at relaxed (either set them to r or omit them entirely).
• Focus your energy on getting SPF, DKIM, and your DMARC policy right.
• Only consider strict alignment if you have a specific security or compliance reason.

You can check your current alignment settings by looking up your domain at dmarcrecordchecker.com. If you need to create or update your DMARC record with specific alignment tags, our generator above makes it easy.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.