dmarc

DMARC Relaxed vs Strict Alignment Explained (and Which to Use)

DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.

Jul 3, 20267 min read

DMARC alignment is the check that ties the domain your recipients see in the From field to the domain that actually passed SPF or DKIM. Relaxed alignment (the default) lets any subdomain of your organizational domain count as aligned, so mail sent from mail.brand.com still aligns with a From address at brand.com. Strict alignment requires the two domains to match exactly, character for character. Almost every domain should start on relaxed, and move to strict only after aggregate reports confirm nothing legitimate would break.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

What alignment actually checks

SPF and DKIM on their own do not look at the address your recipient reads. SPF authenticates the return-path (the hidden MAIL FROM / envelope sender), and DKIM authenticates whatever domain is in the signature's d= tag. Either of those can pass while the visible From: header shows a completely different domain. That gap is exactly what spoofers abuse.

DMARC closes the gap by adding one rule on top of SPF and DKIM: the authenticated domain must line up with the From: header domain. DMARC passes when at least one of the following is true:

  • SPF passes and the return-path domain aligns with the From domain, or
  • DKIM passes and the signing d= domain aligns with the From domain.

You only need one of the two to align. That is why a message forwarded through a mailing list can still pass DMARC on DKIM even after SPF breaks. Alignment mode is simply the definition of "line up" that DMARC uses, and you set it separately for SPF and DKIM.

Relaxed vs strict: the subdomain difference

The entire practical difference between the two modes is how they treat subdomains.

Relaxed alignment

Relaxed mode compares the organizational domain of both sides. The organizational domain is the registrable root, roughly the domain you bought plus its public suffix, such as brand.com. Under relaxed alignment, any subdomain of that root aligns with the root and with any other subdomain.

So if your From address is news@brand.com and your email platform signs DKIM as d=mail.brand.com, relaxed DKIM alignment passes because both reduce to brand.com. Same story for SPF: a return-path of bounces.brand.com aligns with a brand.com From address.

Strict alignment

Strict mode requires an exact, full-domain match. mail.brand.com does not align with brand.com under strict, because the labels are not identical. Only brand.com aligns with brand.com.

Here is the practical case that trips people up. You send from:

  • From header: hello@brand.com
  • DKIM signature: d=mail.brand.com (very common with email service providers)

Under relaxed DKIM alignment this passes. Under strict (adkim=s) it fails, because mail.brand.com is not exactly brand.com. Nothing is misconfigured in a security sense, but strict mode rejects a subdomain signature that relaxed would have accepted. This is the single most common reason a domain that was passing DMARC suddenly starts failing after someone flips to strict.

The exact syntax: aspf and adkim tags

Alignment mode lives in two tags inside your DMARC record: aspf for SPF alignment and adkim for DKIM alignment. Each takes one of two values:

  • r = relaxed (the default if you omit the tag)
  • s = strict

A DMARC record using relaxed for both looks like this. Because r is the default, most published records omit the tags entirely:

v=DMARC1; p=reject; rua=mailto:dmarc@brand.com; aspf=r; adkim=r

To demand strict alignment on both mechanisms, set both tags to s:

v=DMARC1; p=reject; rua=mailto:dmarc@brand.com; aspf=s; adkim=s

You can also mix them. It is perfectly valid to keep SPF relaxed while tightening DKIM, or the reverse:

v=DMARC1; p=reject; rua=mailto:dmarc@brand.com; aspf=r; adkim=s

A few things worth knowing about the tags:

  • If you write nothing, you get relaxed. There is no way to accidentally land on strict. You have to type s.
  • The tags are independent of your policy (p=none, quarantine, or reject). Alignment mode and enforcement policy are separate decisions.
  • Alignment mode says nothing about whether SPF or DKIM themselves pass. A message with no valid DKIM signature at all fails DKIM alignment regardless of adkim, because there is nothing to align.

Which one should you use

Start relaxed. Ship p=none first with relaxed alignment, collect aggregate reports for two to four weeks, and only consider strict once you understand every source sending as your domain. For the large majority of domains, relaxed is the correct permanent setting, not just a training-wheels phase.

When relaxed is the right long-term choice

Relaxed is right whenever any legitimate mail is signed or bounced from a subdomain of your root. That covers most real deployments:

  • Marketing platforms that sign DKIM as d=mail.brand.com or a similar subdomain.
  • Transactional senders using a dedicated bounce subdomain for SPF.
  • Any setup where you delegated a subdomain to a provider but kept the From address on the root.

Under relaxed alignment all of these pass cleanly, and you still get the full anti-spoofing benefit, because an attacker sending from a domain they do not control cannot align under either mode.

When strict is worth it

Strict alignment is narrowly useful when you want to guarantee that only mail authenticated by the exact From domain can pass, and you have deliberately structured sending so that every stream signs and bounces from that exact domain. High-value cases include a locked-down brand domain used only for a specific flow, or a security posture that treats subdomain reuse as a risk. If a phishing kit ever manages to get a valid DKIM signature on a subdomain you also use, strict prevents that subdomain signature from aligning with your root From address. That is a real but uncommon threat, and it only helps if your legitimate mail already meets the exact-match bar.

A safe rollout from relaxed to strict

Do not flip aspf or adkim to s on a live domain and hope. Use the reports.

  1. Publish relaxed at p=none with a rua= address so you receive aggregate reports. Leave alignment on the default. See how to set up DMARC for the full record.
  2. Read two to four weeks of aggregate reports. For every passing source, note the DKIM d= domain and the SPF return-path domain. Our walkthrough on reading a DMARC aggregate report shows exactly where these appear.
  3. Check whether any legitimate source relies on a subdomain to align. If a real sender only aligns because both domains collapse to the same root, strict will break it. That source is your blocker.
  4. Fix or accept. Either reconfigure that provider to sign and bounce from the exact From domain, or decide relaxed is fine and stop here. Most teams stop here.
  5. Only then set adkim=s and/or aspf=s. Change one mechanism at a time, keep watching reports, and confirm your pass rate holds before tightening the other.

Alignment failures often trace back to a mismatched DKIM signing domain rather than a policy problem, so if strict breaks something, start with fixing DKIM alignment. And remember that forwarding can strip SPF alignment entirely, which is one more reason DKIM alignment carries most of the load in practice. Our guide on why forwarding breaks SPF covers that failure mode.

Frequently asked questions

What is the default DMARC alignment mode?

Relaxed, for both SPF and DKIM. If you omit the aspf and adkim tags, DMARC treats them as r. You never end up on strict by accident. You have to explicitly write aspf=s or adkim=s.

Does strict alignment make my domain more secure than relaxed?

Only marginally, and only in a specific way. Both modes block an attacker who sends from a domain they do not control, because that mail cannot align under either setting. Strict adds one extra guarantee: a valid signature from a subdomain of your own root will not align with your root From address. That helps if you consider subdomain reuse a risk, but it does nothing against ordinary external spoofing that relaxed already stops.

Can I use strict for DKIM but relaxed for SPF?

Yes. The two tags are independent. A record like aspf=r; adkim=s is valid and common when your DKIM signing domain exactly matches your From domain but your bounce address lives on a subdomain. Set each tag based on how that specific mechanism is configured for your mail.

Why did my mail start failing DMARC after I switched to strict?

Almost always because a legitimate sender signs DKIM or bounces SPF from a subdomain like mail.brand.com while your From address is on the root brand.com. Relaxed accepted that; strict does not. Check your aggregate reports for the exact d= and return-path domains, then either move that sender onto your exact From domain or revert to relaxed.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

DMARC Relaxed vs Strict Alignment: Which to Use