What is SPF Alignment?
SPF alignment is a component of DMARC that checks whether the domain authenticated by SPF matches the domain shown in the email’s From header. It ensures that the message was sent from a server authorized by the same domain that appears to the recipient. If the two domains align, the message passes SPF alignment; if they don’t, it fails.
This alignment step prevents attackers from exploiting authorized senders under one domain while using a different domain name in the visible From field. By requiring consistency between the technical and visible identities of a message, SPF alignment strengthens protection against spoofing and impersonation.
SPF (Sender Policy Framework) verifies that a mail server is permitted to send messages for a given domain by checking the domain’s DNS for a valid SPF record. Once the SPF check passes, DMARC applies an additional alignment check, comparing the domain in the technical sender address (the “Envelope From” or “Return-Path”) with the domain in the visible From header.
Example of SPF alignment logic:
mail.example.comuser@example.comIn this case, the domains align because mail.example.com is a subdomain of example.com. If the envelope sender were mailer.otherdomain.com, the SPF check might still pass (if authorized), but it would fail alignment under DMARC because the domains differ.
SPF alignment behavior is defined by the aspf tag in the DMARC record. There are two possible modes:
aspf=r): Allows subdomains of the From domain to align with the parent domain. Example: mail.example.com aligns with example.com.aspf=s): Requires an exact domain match. Example: mail.example.com does not align with example.com.Example DMARC record using strict SPF alignment:
v=DMARC1; p=reject; aspf=s; rua=mailto:dmarc-reports@example.comWhen no aspf tag is present, relaxed alignment (aspf=r) is the default mode.
SPF alone authenticates the technical sending source but doesn’t ensure that the visible domain matches. Without alignment, attackers could send mail from authorized servers under unrelated domains — passing SPF while impersonating a brand. SPF alignment adds the critical link between authentication and domain identity, confirming that the authenticated source truly belongs to the sender.
Key benefits of SPF alignment include:
Mailbox providers rely on SPF alignment (along with DKIM alignment) to determine whether a message complies with the sender’s DMARC policy. Messages that fail both are handled according to that policy, typically quarantined or rejected.
DMARCeye gives organizations full visibility into SPF alignment performance across all sending domains. The platform parses DMARC aggregate reports to identify which messages pass or fail SPF alignment, helping teams pinpoint misconfigurations and unauthorized senders.
DMARCeye also correlates SPF alignment data with authentication results from DKIM, highlighting sources that meet full alignment or fail DMARC entirely. By visualizing these outcomes, the platform helps organizations enforce stronger domain identity control, reduce spoofing risks, and optimize deliverability.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.