Alignment (DMARC)
Learn what alignment means in DMARC, how SPF and DKIM alignment protect against spoofing, and how DMARCeye monitors alignment to ensure domain trust.
What is Alignment in DMARC?
Alignment in DMARC refers to the relationship between the domains used in SPF and DKIM authentication checks and the domain visible in the email’s From header. For a message to pass DMARC validation, at least one of these mechanisms must not only pass authentication but also align with the domain displayed to the recipient. Alignment ensures that the sender’s identity in the header accurately matches the domain that is being authenticated, preventing deceptive use of unrelated domains.
Without proper alignment, a message could appear to come from a trusted organization even though the technical authentication checks are performed against a different domain. This verification step helps mailbox providers confirm that the message truly originates from the claimed sender, reducing the risk of spoofing and phishing.
How Alignment Works
DMARC alignment operates through two separate checks that compare domains:
- SPF Alignment: Compares the domain used in the Envelope From (MAIL FROM) with the domain in the visible From header.
- DKIM Alignment: Compares the domain in the DKIM signature (the d= tag) with the domain in the From header.
If either SPF or DKIM passes and aligns, the message is considered DMARC-compliant. If both fail alignment, the message fails DMARC and is processed according to the domain’s policy (none, quarantine, or reject).
Example:
From: billing@example.com
Return-Path: mail.example.com
DKIM-Signature: d=example.comIn this case, both SPF and DKIM align with example.com, resulting in a DMARC pass.
Types of Alignment
DMARC supports two modes of alignment, defined by the aspf (for SPF) and adkim (for DKIM) tags in the DMARC record:
- Relaxed alignment: Allows subdomains to align with their organizational domain. For example,
mail.example.comaligns withexample.com. - Strict alignment: Requires an exact domain match. In this case,
mail.example.comdoes not align withexample.com.
Example of a DMARC record with strict alignment:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc-reports@example.comRelaxed alignment offers flexibility for organizations using multiple subdomains, while strict alignment provides a higher level of protection against impersonation.
Why Alignment Is Important
Alignment is the defining feature that makes DMARC more effective than SPF or DKIM alone. SPF and DKIM validate message integrity and sending authorization, but they do not ensure that the authenticated domain matches what recipients see. DMARC alignment closes this gap by enforcing consistency between the technical and visible sender domains.
Proper alignment helps:
- Protect brands from domain impersonation and fraudulent use
- Increase trust and authenticity in email communications
- Improve deliverability for properly authenticated messages
- Reduce the success of spoofing and business email compromise attacks
- Provide mailbox providers with clearer signals for filtering and reputation scoring
Alignment and DMARCeye
DMARCeye provides detailed insight into SPF and DKIM alignment across all domains and subdomains. The platform highlights misaligned senders, third-party mail streams, and messages that fail alignment, helping organizations identify configuration issues before enforcing a reject policy.
By visualizing alignment data alongside authentication results, DMARCeye enables security and deliverability teams to understand where alignment breaks down and how to fix it. This visibility accelerates the path to full DMARC enforcement and ensures that every message representing your brand is verified and trusted.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.