DMARC Alignment Explained With Examples

DMARC not only verifies whether SPF and DKIM pass. It also checks whether the domains used during authentication match the domain visible in the "From" address. If this alignment is missing, emails can fail DMARC checks even if they pass authentication. Understanding DMARC alignment is essential for improving deliverability and preventing domain misuse.

In this blog, we will walk through how alignment works with practical examples, compare DMARC strict vs relaxed modes, and show how to check DMARC alignment for your domain effectively.

DMARC Alignment Explained

DMARC alignment is the process of checking whether the domain in the "From" address matches the domains used in SPF and DKIM authentication. In simple terms, it confirms that the sender's identity is consistent and trustworthy. During validation, DMARC compares three identifiers: the From header, the Return-Path used in SPF, and the domain in the DKIM signature. Alignment passes if either SPF or DKIM matches the From domain, based on your settings.

If there is no match, DMARC fails even when SPF or DKIM pass individually. Understanding this helps you check DMARC alignment correctly and prevent spoofed emails from misusing your domain.

How DMARC Alignment Works

To understand how DMARC alignment works, it is important to focus on the domain shown in the "From" address. When an email reaches a receiving server, two authentication checks take place. SPF verifies the Return-Path, also known as the envelope sender or bounce address. DKIM, on the other hand, validates the domain used to sign the email through its digital signature. Both checks confirm that the email is technically authorized to be sent.

However, DMARC goes a step further. It does not rely only on whether SPF or DKIM passes. Instead, it checks whether the domains used in these checks match the domain in the From address. This is where alignment comes in.

If the SPF domain or the DKIM domain matches the From domain, alignment passes, and DMARC can pass. If neither matches, DMARC fails, even when SPF or DKIM individually show a pass.

This step is critical because anyone can set up SPF and DKIM for their own domain. Without alignment, an attacker could send an email from your domain while authenticating with their own domain. Since users only see the From address, they may trust the email.

DMARC alignment prevents this by ensuring that the visible sender and the authenticated domain are the same, reducing the risk of spoofing and phishing attacks.

DMARC Strict vs Relaxed Alignment (Key Differences)

DMARC provides two modes that control how closely the SPF and DKIM domains must match the domain in the From address.

Relaxed Alignment (More Flexible)

In relaxed alignment, the domains do not need to match exactly. They only need to belong to the same organizational domain. This means subdomains are allowed.

Example:

• From address: yourdomain.com
• DKIM domain: mail.yourdomain.com

Even though these are not identical, they belong to the same root domain, so alignment passes.

Relaxed alignment is useful if you use third-party tools or multiple subdomains for sending emails. It reduces the chances of legitimate emails failing DMARC.

Pros:

• Works well with marketing tools and email platforms
• Lower risk of valid emails getting rejected

Cons:

• Slightly less strict, so some spoofing risks remain

Strict Alignment (More Secure)

In strict alignment, the domains must match exactly. Even a small difference, such as a subdomain, will cause alignment to fail.

Example:

• From address: yourdomain.com
• DKIM domain: mail.yourdomain.com

Here, alignment fails because the domains are not identical. Strict alignment is ideal for organizations that need stronger protection against spoofing.

Pros:

• Higher level of security
• Strong protection against phishing and impersonation

Cons:

• It can cause legitimate emails to fail if the setup is not precise
• Less flexible for complex email systems

DMARC Alignment Examples

The following examples show how DMARC strict vs relaxed alignment behaves in real-world scenarios.

Example 1: E-commerce Brand Using Multiple Subdomains

From header: [email protected]

• SPF Return-Path: mail.ecommerce.com
• DKIM signature: notify.ecommerce.com

This is common for e-commerce brands that use different subdomains for transactional and notification emails. Relaxed alignment helps these emails pass without extra configuration.

Example 2: Healthcare Company with Centralized Email Setup

From header: [email protected]

• SPF Return-Path: healthsecure.org
• DKIM signature: healthsecure.org

Since all domains match exactly, both alignment modes pass. This setup is typical for organizations that require strong control and consistency in email sending.

Example 3: Marketing Tool Without Proper Alignment

From header: [email protected]

• SPF Return-Path: mailerplatform.com
• DKIM signature: mailerplatform.com

Here, neither SPF nor DKIM aligns with the From domain. Even if authentication passes, DMARC fails due to misalignment. This often happens when third-party tools are not configured correctly.

Example 4: EdTech Platform Using a Subdomain for Campaigns

From header: [email protected]

• SPF Return-Path: campaign.learnonline.io
• DKIM signature: learnonline.io

This shows that relaxed alignment can still pass even when at least one identifier aligns, whereas strict alignment requires exact matching across domains.

How to Check DMARC Alignment for Your Domain

Checking DMARC alignment helps you confirm whether your emails are properly authenticated and trusted by receiving servers. Follow these steps to check it correctly.

Step 1: Send a Test Email

Send an email from your domain to a mailbox you can access, such as Gmail or Outlook. This allows you to review how your email is authenticated on the receiving side.

Step 2: Open the Full Email Headers

Open the email you just sent and view the full headers or original message. In Gmail, click on "Show original." In Outlook, open "View message details."

This section contains important authentication results for SPF, DKIM, and DMARC.

Step 3: Identify Key Domains

Look for the following values in the headers:

• The From domain, which is visible to the recipient
• The Return-Path domain used for SPF
• The DKIM signing domain shown as d= in the DKIM signature

These are the domains DMARC compares for alignment.

Step 4: Check Alignment Results

Now compare the domains:

• If the SPF domain or DKIM domain matches your From domain, alignment passes
• If neither matches, alignment fails

Even if SPF or DKIM shows a pass, DMARC will fail if alignment is missing.

Step 5: Review the Final DMARC Result

In the headers, look for the DMARC result:

• DMARC = pass means alignment is working correctly
• DMARC = fail often indicates a domain mismatch

Step 6: Fix Any Misalignment

If alignment fails, common fixes include:

• Configuring DKIM for your own domain instead of a third-party domain
• Updating SPF records to reflect the correct sending sources
• Ensuring subdomains are aligned with your main domain

Quick Tip: Always check both SPF and DKIM alignment. DMARC only needs one to align, but having both properly configured improves reliability and deliverability. Use EasyDMARC's DKIM lookup, SPF lookup, and DMARC lookup tools to ensure your records are properly configured and are not missing any sending source.

Which DMARC Alignment Mode Should You Choose?

There is no single "best" option when it comes to alignment. The right choice depends on how your email setup is structured. For most businesses, relaxed alignment is a practical starting point. It works well with real-world setups where emails are sent from multiple tools, platforms, or subdomains. It gives you flexibility while you identify and fix alignment issues without affecting deliverability.

Strict alignment, on the other hand, is designed for environments where control and security are priorities. It requires all your email sources to be tightly configured so that domains match exactly. While it offers stronger protection against spoofing, it can also block legitimate emails if not properly configured.

You can think of it as:

• Relaxed alignment supports flexibility
• Strict alignment enforces precision

Most organizations begin with a relaxed mode and move to a strict only after their email ecosystem is stable and fully aligned.

A Practical Approach to Moving from Relaxed to Strict

Instead of choosing blindly, it is better to follow a structured approach.

Start by mapping all the services that send emails on behalf of your domain. Many alignment issues come from sources that are forgotten or not properly configured. Next, check how each service authenticates emails. Look at whether SPF and DKIM are passing and, more importantly, whether their domains align with your From address.

If your setup is still evolving or unclear, stick with relaxed alignment. It allows your emails to pass while you fix mismatches in the background. Once all legitimate sources are consistently aligned, you can consider moving to strict alignment. At this stage, your system is stable enough to handle stricter checks without disrupting email flow.

Even after switching, monitoring is important. New tools, domain changes, or configuration updates can reintroduce alignment issues. Keeping an eye on reports ensures your setup stays reliable over time.

EasyDMARC Can Help

EasyDMARC simplifies email authentication by helping you set up, monitor, and enforce SPF, DKIM, and DMARC with ease. It provides clear insights into alignment issues, detects unauthorized senders, and improves deliverability. With guided tools and reports, you can secure your domain and maintain trust without dealing with complex technical setups.

Start your 14-day free trial and let us handle SPF, DKIM, and DMARC for you.