What Is SPF, DKIM, and DMARC Alignment?
Understanding domain alignment in email authentication
Table of Contents
What Is SPF, DKIM, and DMARC Alignment?
SPF, DKIM, and DMARC alignment refers to the relationship between authentication domains (SPF/DKIM) and the From domain in email addresses. For DMARC to pass, either SPF or DKIM must pass AND align with the From domain.
SPF alignment checks if the SPF-authenticated domain matches the From domain. DKIM alignment checks if the DKIM signature domain matches the From domain. Alignment can be strict (domains must match exactly) or relaxed (subdomains are acceptable).
Proper alignment ensures that authentication domains match the sender's domain, providing stronger email security and authentication. Verify alignment using our email authentication checker.
SPF Alignment
What Is SPF Alignment?
SPF alignment checks whether the domain used in SPF authentication matches the From domain in the email address.
How SPF Alignment Works
- SPF checks the Return-Path (envelope sender) domain
- Alignment compares Return-Path domain with From domain
- For alignment to pass, domains must match (strict) or be related (relaxed)
Alignment Examples
- Strict: From: user@example.com, Return-Path: user@example.com ✓
- Relaxed: From: user@example.com, Return-Path: user@mail.example.com ✓
- No Alignment: From: user@example.com, Return-Path: user@other.com ✗
Verifying SPF Alignment
Check SPF records and use our authentication checker to verify SPF alignment.
DKIM Alignment
What Is DKIM Alignment?
DKIM alignment checks whether the domain in the DKIM signature matches the From domain in the email address.
How DKIM Alignment Works
- DKIM signatures include a signing domain (d=)
- Alignment compares signing domain with From domain
- For alignment to pass, domains must match (strict) or be related (relaxed)
Alignment Examples
- Strict: From: user@example.com, DKIM d=example.com ✓
- Relaxed: From: user@example.com, DKIM d=mail.example.com ✓
- No Alignment: From: user@example.com, DKIM d=other.com ✗
Verifying DKIM Alignment
Check DKIM records and use our authentication checker to verify DKIM alignment.
Alignment Modes
DMARC supports two alignment modes:
Strict Alignment
Domains must match exactly. For example, From: user@example.com requires authentication from example.com (not mail.example.com).
- More secure
- Stricter requirements
- Better for preventing spoofing
Relaxed Alignment
Domains can be subdomains of each other. For example, From: user@example.com can be authenticated by mail.example.com.
- More flexible
- Easier to achieve
- Common default setting
Configuration
Alignment mode is configured in DMARC records using aspf=r (relaxed) or aspf=s (strict) for SPF, and adkim=r (relaxed) or adkim=s (strict) for DKIM.
DMARC Alignment Requirements
For DMARC to pass, specific alignment requirements must be met:
Pass Requirements
For DMARC to pass, at least one of these must be true:
- SPF passes AND SPF aligns with From domain
- DKIM passes AND DKIM aligns with From domain
Both SPF and DKIM
While only one needs to pass and align, having both SPF and DKIM pass and align provides stronger authentication and better deliverability.
Alignment Failure
If authentication passes but alignment fails, DMARC will fail. This prevents authentication from unrelated domains.
Verifying Alignment
Use our comprehensive authentication checker to verify SPF, DKIM, and DMARC alignment.
Best Practices
- Ensure SPF and DKIM domains align with From domain
- Use relaxed alignment for flexibility
- Verify alignment before moving to strict DMARC policies
- Monitor alignment in DMARC reports
