schedule 3-min read

DMARC Alignment Explained: Relaxed vs Strict

DMARC alignment is what makes SPF and DKIM meaningful. Here’s how relaxed vs strict alignment works and when each is the right choice.

01

Introduction

DMARC alignment is the rule that says: "For a DMARC pass, the domain that authenticated must also match the visible From header." It's the requirement that closes the gap SPF and DKIM leave open.

This article covers how alignment works, the difference between relaxed and strict modes, and which to use.

02

Why this topic matters

Misunderstanding alignment is the most common cause of "DMARC isn't working" surprises. Senders pass SPF, pass DKIM, and still fail DMARC — because nothing aligns with the From domain.

03

How alignment works

Two checks happen during DMARC evaluation:

  • SPF alignment. Does the SPF envelope-from domain align with the From header?
  • DKIM alignment. Does the DKIM signing domain (d=) align with the From header?

Either qualifies as DMARC-aligned. Both failing means DMARC fails.

04

Relaxed vs strict — what changes

Relaxed alignment (default for both adkim=r and aspf=r):

The domain just needs to share the organizational domain. mail.brand.com aligns with brand.com; app.brand.com aligns with brand.com.

Strict alignment (adkim=s / aspf=s):

The domain must match exactly. mail.brand.com does NOT align with brand.com in strict mode.

05

When to use strict

Three scenarios:

  1. High-stakes financial domain. Strict reduces edge-case attack vectors.
  2. Single-purpose sending domain. When you control every sender and they all sign with the exact domain.
  3. Compliance requirement. Some frameworks reference strict alignment.

For most domains, relaxed is the right choice. Strict has more failure modes if misconfigured.

06

Step-by-step approach to configuring

  1. Default to relaxed. Don't set adkim or aspf unless you have a specific reason.
  2. If choosing strict, verify every legitimate sender signs with the exact domain.
  3. Test on a subdomain first before applying to the parent.
  4. Monitor aggregate reports for alignment failures.
07

Best practices

  • Stay relaxed unless you have a reason. Cleaner operations.
  • Use strict alignment as a hardening step, not a starting state.
  • Pair strict with explicit sp= setting. Subdomains have different alignment needs.
  • Document any strict choice. Future engineers need the rationale.
  • Watch for misalignment in third-party senders. Mailchimp etc. need custom DKIM to align.
08

Check your domain's DMARC record. If adkim and aspf aren't explicitly set, you're at relaxed — which is fine for most cases. If they are set to s, verify the rationale.

09

FAQ

What's the default?

Relaxed (r) for both DKIM and SPF alignment.

Can I use strict on DKIM and relaxed on SPF?

Yes. Each is independently configurable.

Does strict alignment help against attackers?

Marginally. The main attack vectors are addressed by relaxed; strict is hardening.

What about subdomain alignment?

Relaxed alignment treats app.brand.com and brand.com as aligned. Strict treats them as different.

Will strict break legitimate mail?

It can, if your senders sign with a different exact domain. Test before deploying.

10

Final thoughts

DMARC alignment is the load-bearing piece of the standard. Relaxed mode covers most needs cleanly; strict mode is for specific hardening scenarios.

Default to relaxed, document any strict choice. The operational simplicity is worth it.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us