Skip to main content
DMARC - Strict vs Relaxed alignment
Updated over a week ago

The DMARC standard enables a domain owner to allow relaxed alignment or to require strict alignment. Note that there is no discernible increase in protection by using Strict mode.

Valimail does not recommend using Strict mode since there is no improvement in protection and is makes configuration and management of authentication more difficult.

Relaxed alignment is satisfied if the organizational domain is the same between the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).

Strict alignment requires an exact match between the Fully Qualified Domain Name (FQDN) of the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).

If strict alignment is required and the email does not pass strict alignment, the email is considered to have failed DMARC authentication for that method (SPF or DKIM).

Strict vs Relaxed alignment is specified in the DMARC record using the following tags:

aspf (SPF)

adkim (DKIM)

The default setting, if it is not specified in the DMARC record, is relaxed alignment. For example, the following DMARC records are equivalent:

v=DMARC1; p=none; rua=mailto:[email protected]; aspf=r; adkim=r

v=DMARC1; p=none; rua=mailto:[email protected];

Examples:

A domain is set for strict SPF alignment as shown below:

v=DMARC1; p=none; rua=mailto:[email protected]; aspf=s;

If the user-visible From address is [email protected] and the Return Path is marketing.example.com,

The email is strictly aligned for SPF

A domain is set for strict DKIM alignment as shown below:

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=s

If the user-visible From address is [email protected] and the authenticated signing domain is example.com,

The email is not strictly aligned for DKIM

Did this answer your question?