Advanced AuthenticationFebruary 9, 20268 min read

What Is DMARC Alignment?

DMARC alignment means the domain authenticated by SPF or DKIM matches the domain in your email's From header. For DMARC to pass, at least one authentication method (SPF or DKIM) must both pass and align with the From domain. Without alignment, even passing SPF and DKIM results in DMARC failure.

Why Alignment Matters

DMARC exists to prevent domain spoofing. Alignment connects authentication to the domain recipients actually see.

Without Alignment

Attackers could:

With Alignment

Alignment prevents this by requiring the authenticated domain to match the From domain. Attackers cannot authenticate as your domain without your keys.

SPF Alignment

SPF alignment compares two domains:

For SPF alignment to pass, these domains must match (according to relaxed or strict rules).

Example

From: [email protected]
Return-Path: [email protected]

SPF passes for yourdomain.com. Alignment: Both are yourdomain.com = aligned.

DKIM Alignment

DKIM alignment compares:

For DKIM alignment to pass, these domains must match.

Example

From: [email protected]
DKIM-Signature: d=yourdomain.com

DKIM signature valid. Alignment: Both are yourdomain.com = aligned.

Only One Needs to Align

DMARC passes if either SPF or DKIM both passes and aligns. You do not need both to align—just one successful aligned authentication is sufficient.

Relaxed vs Strict Alignment

DMARC allows two alignment modes, specified in your DMARC record.

Relaxed Alignment (Default)

Organizational domain match is sufficient:

DMARC record: aspf=r (relaxed SPF), adkim=r (relaxed DKIM)

Strict Alignment

Exact domain match required:

DMARC record: aspf=s (strict SPF), adkim=s (strict DKIM)

Which to Use

Common Alignment Problems

Third-Party Sending Services

When using email service providers:

Subdomain Mismatches

With strict alignment:

Multiple Email Services

Each service needs proper alignment configuration:

Checking Alignment

Email Headers

Look for Authentication-Results header:

DMARC Reports

Aggregate reports show alignment status for each source. Failed alignment appears even when SPF/DKIM pass.

Frequently Asked Questions

Can SPF pass but DMARC fail?
Yes. If SPF passes but the Return-Path domain does not align with the From domain, and DKIM also does not align, DMARC fails despite SPF passing.
Should I use relaxed or strict alignment?
Relaxed is recommended for most organizations. It allows flexibility with subdomains while still providing protection. Strict is for maximum security when you control all sending infrastructure precisely.
How do I fix alignment with my email provider?
Configure custom DKIM with your domain (not the provider's domain) and set up custom Return-Path/envelope sender. Most ESPs provide documentation for this setup.
What if I cannot control Return-Path?
Focus on DKIM alignment instead. If DKIM passes and aligns, DMARC will pass even if SPF does not align. Most ESPs support custom DKIM even if Return-Path is fixed.

Master DMARC Authentication

SortedIQ helps senders achieve proper alignment across all email sources.

Talk to Our Team