DMARC aspf Tag

What is the DMARC aspf Tag?

The aspf tag in a DMARC record defines the alignment mode used for SPF authentication checks. It determines how strictly the domain in the SPF evaluation (the “Envelope From” or “Return-Path” domain) must match the domain visible in the email’s From header. In short, aspf controls whether DMARC treats subdomains as aligned or requires an exact match for alignment.

This tag plays an essential role in establishing sender identity and preventing domain impersonation. By specifying aspf in your DMARC record, you define how tolerant mailbox providers should be when comparing SPF-authenticated domains to the one shown to recipients.

How the aspf Tag Works

The aspf tag accepts one of two possible values: r for relaxed alignment (the default) or s for strict alignment. These settings determine the degree of similarity required between the authenticated domain and the From header domain.

Example DMARC record with an aspf tag:

In this example, the aspf=s tag enforces strict alignment for SPF checks.

• Relaxed alignment (aspf=r): Allows subdomains of the From domain to align. For example, mail sent from mail.example.com aligns with example.com.
• Strict alignment (aspf=s): Requires an exact match between the domain used in the SPF check and the domain in the From header. In this case, mail.example.com does not align with example.com.

If the aspf tag is omitted from the DMARC record, relaxed alignment (r) is applied by default.

Why SPF Alignment Is Crucial to DMARC

SPF alone verifies that a mail server is authorized to send on behalf of a specific domain, but it doesn’t confirm that the visible From domain (the one users see) matches the authenticated domain. The aspf tag bridges that gap by enforcing consistency between the technical sending domain and the human-facing one.

Proper SPF alignment helps prevent spoofing and phishing by ensuring attackers can’t send messages from subdomains or unrelated domains that merely pass SPF checks. This alignment is critical for full alignment, which occurs when both SPF and DKIM align successfully with the same domain.

Choosing Between Strict and Relaxed Alignment

Whether to use strict or relaxed alignment depends on your domain structure and mail flow:

• Relaxed alignment (r): Best for organizations that send mail from multiple subdomains or third-party services that may use slightly different sending domains. It offers flexibility during the initial DMARC rollout.
• Strict alignment (s): Recommended for mature email programs with controlled infrastructure. It provides maximum protection by requiring exact domain matches.

Many organizations start with relaxed alignment while monitoring aggregate reports, then move to strict alignment once all legitimate senders are configured correctly. This progression supports a smooth transition toward full DMARC enforcement (p=quarantine or p=reject).

The aspf Tag and DMARCeye

DMARCeye automatically detects and analyzes your domain’s aspf alignment setting when parsing DMARC records. The platform visualizes SPF alignment results across all senders, helping you identify misaligned domains, subdomain inconsistencies, and third-party senders that may fail strict alignment.

By correlating alignment data with authentication outcomes, DMARCeye highlights which sources meet or violate your aspf policy, making it easier to fine-tune your configuration. Whether you use relaxed or strict alignment, DMARCeye ensures that SPF validation supports a secure, compliant, and deliverable email ecosystem.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.