What is SPF alignment (strict vs. relaxed)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You're sending email from mail.yourdomain.com but your From header says yourdomain.com. Does that pass DMARC? The answer depends on your SPF alignment setting, which can be strict or relaxed.

Strict alignment means the Return-Path domain (the one SPF validates) must match the From header domain exactly. mail.yourdomain.com and yourdomain.com don't match, so strict alignment fails. Relaxed alignment is more forgiving. It says the domains need to be part of the same organization (the same root domain). So mail.yourdomain.com aligns with yourdomain.com in relaxed mode because they're both under yourdomain.com.

The default DMARC setting is relaxed alignment (aspf=r), which is why most senders can use subdomains for mail servers without breaking their DMARC authentication. You tighten it to strict (aspf=s) if you want to lock down exactly which domains can send on your behalf.

Why would you switch to strict? Security. Strict alignment closes a loophole. If an attacker compromises mail.yourdomain.com, they could still fail strict SPF alignment checks while potentially passing other authentication. But here's the catch: if you use multiple sending domains or subdomains, switching to strict can break legitimate email. You'd need to audit every sender and ensure they're from the exact From domain. Most businesses stick with relaxed because it's practical. Set it to strict only if your sending infrastructure is very centralized.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check your SPF alignment mode

Should I use strict or relaxed SPF alignment? What breaks if I change it?

Edit the yellow boxes, then send to the AI of your choice.