How Alignment Modes Work
Relaxed Alignment
Compares organizational domains (the registrable part):
- From:
[email protected] - DKIM d=
example.com - Organizational domains: both are example.com
- Result: Aligned
Strict Alignment
Compares exact domains:
- From:
[email protected] - DKIM d=
example.com - Exact domains: mail.example.com ≠ example.com
- Result: NOT Aligned
DMARC Record Settings
Specify alignment mode in your DMARC record:
For SPF Alignment
aspf=r- Relaxed (default)aspf=s- Strict
For DKIM Alignment
adkim=r- Relaxed (default)adkim=s- Strict
Example DMARC Records
Relaxed (default):
v=DMARC1; p=quarantine; rua=mailto:[email protected]
Strict:
v=DMARC1; p=quarantine; aspf=s; adkim=s; rua=mailto:[email protected]
Default Is Relaxed
If you do not specify aspf or adkim in your DMARC record, both default to relaxed. You only need to add these tags if you want strict alignment.
When to Use Relaxed
Recommended For Most Organizations
- You send from multiple subdomains (mail., news., support.)
- Third-party services sign with your parent domain
- You want flexibility in email infrastructure
- You are implementing DMARC for the first time
Relaxed Still Provides Protection
Attackers cannot spoof your domain because:
- They cannot authenticate as any subdomain of your domain
- Only authorized senders have your SPF entries and DKIM keys
- Different organizational domains (attacker.com) never align
When to Use Strict
Consider Strict When
- You have precise control over all sending infrastructure
- All email sends from exactly one domain (no subdomains)
- Maximum security is required (financial, healthcare)
- You want to prevent subdomain spoofing
Subdomain Protection
Strict prevents attacks like:
- Attacker creates fake subdomain: fake.example.com
- With relaxed: could potentially align with example.com DKIM
- With strict: would not align because domains differ exactly
However, this scenario requires the attacker to have your DKIM keys, which is unlikely.
Migration Path
Starting With Relaxed
- Implement DMARC with p=none, relaxed alignment (default)
- Monitor reports for legitimate sources
- Move to p=quarantine, then p=reject
- Only consider strict after full deployment
Moving to Strict (Optional)
After stable enforcement with relaxed:
- Audit all sending sources for exact domain usage
- Ensure DKIM signs with exact From domain, not parent
- Ensure SPF Return-Path matches exact From domain
- Test thoroughly before switching
- Add aspf=s and adkim=s to DMARC record
Practical Considerations
Third-Party Services
Many email services sign DKIM with your parent domain even when sending from subdomains. This works with relaxed but fails strict. Check with your provider before choosing strict.
Separate SPF and DKIM Settings
You can mix modes:
aspf=r; adkim=s- Relaxed SPF, Strict DKIMaspf=s; adkim=r- Strict SPF, Relaxed DKIM
This allows flexibility where needed while tightening where possible.