What is DMARC alignment?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
DMARC alignment is the check that ties your email authentication to the domain your recipients actually see. It's the piece that stops phishers from passing SPF or DKIM on their own domain while showing your brand in the From line.
The problem it solves
SPF checks the Return-Path domain. DKIM checks the d= domain in the signature. Neither of those is the visible From address in the inbox. A phisher can set up a domain they control, pass SPF and DKIM on it, and send mail showing your brand in From. Authentication passes. Recipients see your company name. The phish works.
DMARC alignment closes that gap by requiring that the domain authenticated by SPF or DKIM also matches the visible From domain.
What alignment actually checks
For SPF alignment: the Return-Path domain must match the From domain.
For DKIM alignment: the d= domain in the DKIM-Signature header must match the From domain.
DMARC only needs one of the two to align. Both aligning is better practice, but one is enough to pass.
Strict vs relaxed alignment
You can configure how strictly the domains must match. Relaxed mode (the default) allows subdomains: mail.yourdomain.com aligns with yourdomain.com. Strict mode requires an exact match. Most senders should use relaxed. Strict makes sense only if you've fully mapped every subdomain involved in sending.
So you can see your current alignment settings in your DMARC record and check whether your setup is actually passing with our DMARC parser. The SOS hotline is free if you're troubleshooting an alignment failure.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.