Domainee
Sign inGet started

DMARC alignment

DMARC alignment is the rule that SPF or DKIM has to validate against a domain that matches the From: header. Without alignment, spoofers slip through.

DMARC alignment is the trick that makes DMARC actually do its job. SPF and DKIM alone don't stop spoofing: an attacker can use their own DKIM-signed, SPF-passing domain and put your domain in the visible From: header. DMARC fixes this by requiring that SPF or DKIM pass and that the passing domain matches the visible From.

There are two kinds of alignment:

SPF alignment

SPF checks the MAIL FROM: (envelope sender) domain. SPF alignment requires that the envelope-sender domain matches the From: header domain (the one the user sees).

  • Strict (aspf=s): exact match. mail.example.com does not align with example.com.
  • Relaxed (aspf=r): matches at the organizational domain. mail.example.com aligns with example.com. Default.

DKIM alignment

DKIM signs with a domain in the d= tag of the signature. DKIM alignment requires that domain match the From: header domain.

  • Strict (adkim=s): exact match.
  • Relaxed (adkim=r): organizational match. Default.

"Pass" without alignment doesn't count

SPF can pass, DKIM can pass, and DMARC can still fail if neither aligns. This is the entire mechanism that prevents spoofing.

Example attacker scenario:

  • From: support@bigbrand.com
  • MAIL FROM: is bouncer@attacker.com
  • SPF passes for attacker.com (because the attacker set up their own SPF).
  • DKIM passes for attacker.com (the attacker signed with their own key).
  • DMARC alignment fails: neither passing domain matches bigbrand.com.
  • DMARC result: fail. Bigbrand's p=reject policy makes the receiver drop the mail.

This is exactly why DMARC works.

The common alignment bug

You set up DKIM through a SaaS sender (say mailchimp). DKIM signs with d=mc.example.com (a subdomain you delegated to Mailchimp). Your From: header is marketing@example.com. With adkim=r (the default), mc.example.com aligns with example.com. Great.

Now you set adkim=s because someone said "strict is more secure." Now mc.example.com does not align with example.com and your Mailchimp mail fails DMARC. Lose deliverability immediately.

Default to relaxed alignment unless you have a specific reason for strict.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.