The DMARC standard enables a domain owner to allow relaxed alignment or to require strict alignment. Note that there is no discernible increase in protection by using Strict mode. 

Valimail does not recommend using Strict mode since there is no improvement in protection and makes configuration and management of authentication more difficult.



Relaxed alignment is satisfied if the organizational domain is the same between the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).


Strict alignment requires an exact match between the Fully Qualified Domain Name (FQDN) of the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).


If strict alignment is required and the email does not pass strict alignment, the email is considered to have failed DMARC authentication for that method (SPF or DKIM). 



Strict vs Relaxed alignment is specified in the DMARC record using the following tags:

aspf (SPF)

adkim (DKIM)


The default setting, if it is not specified in the DMARC record, is relaxed alignment. For example, the following DMARC records are equivalent:


v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com; aspf=r; adkim=r


v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com;




Examples:


A domain is set for strict SPF alignment as shown below:


v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com; aspf=s;


If the user-visible From address is sales@marketing.example.com and the Return Path is marketing.example.com, 


The email is strictly aligned for SPF



A domain is set for strict DKIM alignment as shown below:


v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com; adkim=s


If the user-visible From address is sales@marketing.example.com and the authenticated signing domain is example.com, 


The email is not strictly aligned for DKIM