SPF Alignment
Learn what SPF alignment means in DMARC, how it prevents domain spoofing, and how DMARCeye monitors SPF alignment to strengthen email authentication.
What is SPF Alignment?
SPF alignment is a component of DMARC that checks whether the domain authenticated by SPF matches the domain shown in the email’s From header. It ensures that the message was sent from a server authorized by the same domain that appears to the recipient. If the two domains align, the message passes SPF alignment; if they don’t, it fails.
This alignment step prevents attackers from exploiting authorized senders under one domain while using a different domain name in the visible From field. By requiring consistency between the technical and visible identities of a message, SPF alignment strengthens protection against spoofing and impersonation.
How SPF Alignment Works
SPF (Sender Policy Framework) verifies that a mail server is permitted to send messages for a given domain by checking the domain’s DNS for a valid SPF record. Once the SPF check passes, DMARC applies an additional alignment check, comparing the domain in the technical sender address (the “Envelope From” or “Return-Path”) with the domain in the visible From header.
Example of SPF alignment logic:
- Envelope From:
mail.example.com - From header:
user@example.com
In this case, the domains align because mail.example.com is a subdomain of example.com. If the envelope sender were mailer.otherdomain.com, the SPF check might still pass (if authorized), but it would fail alignment under DMARC because the domains differ.
Strict vs. Relaxed SPF Alignment
SPF alignment behavior is defined by the aspf tag in the DMARC record. There are two possible modes:
- Relaxed alignment (
aspf=r): Allows subdomains of the From domain to align with the parent domain. Example:mail.example.comaligns withexample.com. - Strict alignment (
aspf=s): Requires an exact domain match. Example:mail.example.comdoes not align withexample.com.
Example DMARC record using strict SPF alignment:
v=DMARC1; p=reject; aspf=s; rua=mailto:dmarc-reports@example.comWhen no aspf tag is present, relaxed alignment (aspf=r) is the default mode.
Why SPF Alignment Is Important
SPF alone authenticates the technical sending source but doesn’t ensure that the visible domain matches. Without alignment, attackers could send mail from authorized servers under unrelated domains — passing SPF while impersonating a brand. SPF alignment adds the critical link between authentication and domain identity, confirming that the authenticated source truly belongs to the sender.
Key benefits of SPF alignment include:
- Prevents domain impersonation in the visible From field
- Improves accuracy of DMARC authentication results
- Supports full alignment when paired with DKIM
- Enhances sender reputation and deliverability
- Provides better forensic visibility in DMARC reports
Mailbox providers rely on SPF alignment (along with DKIM alignment) to determine whether a message complies with the sender’s DMARC policy. Messages that fail both are handled according to that policy, typically quarantined or rejected.
SPF Alignment and DMARCeye
DMARCeye gives organizations full visibility into SPF alignment performance across all sending domains. The platform parses DMARC aggregate reports to identify which messages pass or fail SPF alignment, helping teams pinpoint misconfigurations and unauthorized senders.
DMARCeye also correlates SPF alignment data with authentication results from DKIM, highlighting sources that meet full alignment or fail DMARC entirely. By visualizing these outcomes, the platform helps organizations enforce stronger domain identity control, reduce spoofing risks, and optimize deliverability.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.