DMARC alignment explained: SPF, DKIM, and From domains
See how relaxed and strict SPF or DKIM alignment compare authenticated domains with the visible From domain.
DMARC is the most misunderstood email standard. Once you understand alignment, the rest is mechanical.
The two alignments
DMARC checks identifier alignment between the From header and the authentication identifiers from SPF and DKIM. There are two:
- SPF alignment compares the From-header domain to the Return-Path (envelope sender) domain.
- DKIM alignment compares the From-header domain to the
d=value in the DKIM signature.
DMARC needs only ONE of these to align AND its underlying check (SPF or DKIM) to pass. This is the magic that lets forwarded messages survive: the SPF identifier breaks at the forwarder, but the DKIM signature is preserved with its original d=.
Relaxed vs strict
Relaxed alignment (the default) lets subdomains align with the organizational domain. So mail.example.com aligns with example.com. Strict alignment requires an exact string match.
- Use relaxed (
adkim=r aspf=r, the default) for almost everything. - Use strict for high-value brands that need to make sure no subdomain takeover or unauthorized SaaS can claim affiliation.
A worked example
You send marketing email through an ESP. The setup looks like:
- From:
you [at] example.com - Return-Path:
bounce-12345 [at] bounces.theesp.com(the ESP's bounce handler) - DKIM signature:
d=mail.example.com s=esp1(the ESP signs as a subdomain you delegated to them)
What DMARC sees:
- SPF passes (the ESP is authorized for
bounces.theesp.com). - SPF alignment fails (
bounces.theesp.com≠example.comin either relaxed or strict). - DKIM passes (the signature verifies).
- DKIM alignment passes in relaxed mode (
mail.example.comis a subdomain ofexample.com). It would fail in strict.
Result: DMARC passes, because aligned DKIM passed.
Reading aggregate reports
In an aggregate XML report you'll see something like:
<row>
<count>847</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>This row says: 847 messages from one source, DKIM alignment failed but SPF alignment passed, so DMARC passed and the policy didn't take action. If both showed fail, DMARC would have failed and the policy would have applied.
If you only do one thing
Publish DMARC at p=none rua=aggregate-report-mailbox and read one week of aggregate reports. You'll learn more about your sending infrastructure in seven days than in months of guessing.
For the broader authentication map, use the email authentication hub and then come back here for SPF-versus-DKIM alignment examples.
| Method | Authenticated domain | Alignment comparison |
|---|---|---|
| SPF | SMTP envelope sender / Return-Path | Compared with the visible From domain |
| DKIM | Signing domain in d= | Compared with the visible From domain |
Use the DMARC checker to inspect policy and alignment mode, then use DMARC monitoring for sender-level alignment evidence over time.
Apply the findings from DMARC alignment, explained without the jargon with the DMARC monitoring workflow, then use the relevant WillItInbox product workflow to collect current evidence.
Continue this dmarc monitoring and sender authentication workflow with the commercial page, the core guide, the implementation docs.
Last updated June 13, 2026.
Sources reviewed
- RFC 7489: DMARC(standard)
- RFC 7208: Sender Policy Framework(standard)
- RFC 6376: DomainKeys Identified Mail(standard)
Factual review: June 13, 2026 by WillItInbox Editorial.
Keep reading