3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

DMARC Alignment

The check that requires the SPF or DKIM domain to match the visible From header domain in order for DMARC to pass.

Definition

DMARC alignment is the check that ties SPF or DKIM authentication to the visible From: header that end users see. SPF authenticates the envelope sender (MAIL FROM), and DKIM authenticates the signing domain (the d= tag). Neither, on its own, says anything about the visible From: header — and a spoofer can put any address they like in the From: header while still passing SPF or DKIM against a domain they control. DMARC closes this gap by requiring that the SPF or DKIM domain aligns with the visible From header domain.

How it works

Alignment has two modes set per protocol via the aspf= and adkim= tags in the DMARC record:

Relaxed (the default, value r): the SPF/DKIM domain must share an organisational domain with the From header. So mail.example.com aligns with example.com, and a DKIM signature with d=marketing.example.com aligns with a From header of news@example.com.

Strict (value s): the SPF/DKIM domain must match the From header domain exactly. mail.example.com does not align with example.com in strict mode.

For DMARC to pass, at least one of SPF or DKIM must both authenticate AND align. Either alone is insufficient. This is why ESPs that sign messages with their own domain (e.g. d=mailprovider.com) cause DMARC to fail even though DKIM technically passes — the signing domain doesn't align with the customer's From header.

Example

A message with these headers:

From: news@example.com
Return-Path: bounce@bounces.example.com
DKIM-Signature: d=example.com; ...

SPF authenticates bounces.example.com (the envelope sender). DKIM authenticates example.com (the d= tag). The visible From header is example.com.

SPF alignment: bounces.example.com shares organisational domain with example.com — passes in relaxed mode, fails in strict mode. DKIM alignment: example.com matches example.com exactly — passes in either mode. DMARC therefore passes via DKIM in both alignment modes.

Related Terms

DMARC An email authentication policy framework that uses SPF and DKIM to detect and prevent doma... SPF A DNS-published list of IP addresses and hostnames authorised to send email on behalf of a... DKIM A cryptographic signature attached to outbound email that proves the message was authorise... DMARC Policy The action a domain owner asks receivers to take when a message fails DMARC: monitor (none...

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial