DMARC alignment, explained without the jargon

DMARC is the most misunderstood email standard. Once you understand alignment, the rest is mechanical.

The two alignments

DMARC checks identifier alignment between the From header and the authentication identifiers from SPF and DKIM. There are two:

• SPF alignment compares the From-header domain to the Return-Path (envelope sender) domain.
• DKIM alignment compares the From-header domain to the d= value in the DKIM signature.

DMARC needs only ONE of these to align AND its underlying check (SPF or DKIM) to pass. This is the magic that lets forwarded messages survive: the SPF identifier breaks at the forwarder, but the DKIM signature is preserved with its original d=.

Relaxed vs strict

Relaxed alignment (the default) lets subdomains align with the organizational domain. So mail.example.com aligns with example.com. Strict alignment requires an exact string match.

• Use relaxed (adkim=r aspf=r, the default) for almost everything.
• Use strict for high-value brands that need to make sure no subdomain takeover or unauthorized SaaS can claim affiliation.

A worked example

You send marketing email through an ESP. The setup looks like:

• From: [email protected]
• Return-Path: [email protected] (the ESP's bounce handler)
• DKIM signature: d=mail.example.com s=esp1 (the ESP signs as a subdomain you delegated to them)

What DMARC sees:

• SPF passes (the ESP is authorized for bounces.theesp.com).
• SPF alignment fails (bounces.theesp.com ≠ example.com in either relaxed or strict).
• DKIM passes (the signature verifies).
• DKIM alignment passes in relaxed mode (mail.example.com is a subdomain of example.com). It would fail in strict.

Result: DMARC passes, because aligned DKIM passed.

Reading aggregate reports

In an aggregate XML report you'll see something like:

<row>
  <count>847</count>
  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>fail</dkim>
    <spf>pass</spf>
  </policy_evaluated>
</row>

This row says: 847 messages from one source, DKIM alignment failed but SPF alignment passed, so DMARC passed and the policy didn't take action. If both showed fail, DMARC would have failed and the policy would have applied.

If you only do one thing

Publish DMARC at p=none rua=mailto:[email protected] and read one week of aggregate reports. You'll learn more about your sending infrastructure in seven days than in months of guessing.