DMARCdrift
DMARCdrift
DMARC concepts

Relaxed vs strict DMARC alignment

The difference between adkim=r and adkim=s, how organizational domain matching works, and when to use each.

DMARC alignment can be checked two ways: relaxed or strict. The setting controls how closely the authenticated domain needs to match your From header domain. Most senders never need to change the default, but understanding the difference matters when subdomains are involved.

What alignment mode controls

Your DMARC record can specify alignment mode separately for DKIM and SPF:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; adkim=r; aspf=r; rua=..."
  • adkim=r: DKIM relaxed alignment (default if omitted)
  • adkim=s: DKIM strict alignment
  • aspf=r: SPF relaxed alignment (default if omitted)
  • aspf=s: SPF strict alignment

Both default to relaxed. You only need to specify them if you want strict.

Relaxed alignment: organizational domain matching

Under relaxed alignment, the authenticated domain and the From domain just need to share the same organizational domain. The organizational domain is the registered domain — the part you'd buy from a registrar.

Examples where relaxed alignment passes:

From domainAuthenticated domainResult
yourdomain.comyourdomain.comPass (exact match)
yourdomain.commail.yourdomain.comPass (same org domain)
app.yourdomain.comyourdomain.comPass (same org domain)
app.yourdomain.commail.yourdomain.comPass (same org domain)
yourdomain.comotherdomain.comFail (different org domain)

This flexibility is what makes relaxed alignment practical. When you send from yourdomain.com via a service that uses mail.yourdomain.com in the Return-Path or DKIM signature, relaxed alignment still passes.

Strict alignment: exact domain matching

Under strict alignment, the authenticated domain must exactly match the From domain. Subdomains don't pass.

Examples where strict alignment fails but relaxed passes:

From domainAuthenticated domainRelaxedStrict
yourdomain.commail.yourdomain.comPassFail
app.yourdomain.comyourdomain.comPassFail

Strict alignment is rarely needed. The most common legitimate reason: you want to prevent DMARC pass for messages claiming to be from yourdomain.com but signed with a subdomain key. In practice this is an unusual requirement.

Subdomain behavior

Subdomains of your domain are independently evaluated. A message from app.yourdomain.com is checked against app.yourdomain.com's DMARC policy if one exists, or falls back to yourdomain.com's policy with the sp= (subdomain policy) tag applied.

This matters for alignment because even under relaxed mode, an authenticated domain from a completely different organizational domain never aligns. mail.otherdomain.com doesn't align with yourdomain.com regardless of mode.

When to use strict alignment

Strict makes sense in a narrow set of circumstances:

  • You control all mail infrastructure and have confirmed that every legitimate sender uses exactly your From domain in their authentication (no subdomains, no third-party signing with subdomain keys)
  • You're in an environment where the extra restriction is required by policy (some enterprise compliance frameworks specify it)
  • You want to prevent a specific subdomain-based authentication bypass in your setup

For most indie builders and small SaaS teams, relaxed alignment is the right choice. It accommodates the typical setup where your ESP signs with a subdomain or uses a custom bounce domain at a subdomain, and it significantly reduces the chance of legitimate mail failing DMARC alignment due to minor domain variations across your sending services.


See also: DKIM and DMARC alignment: how the d= domain in a DKIM signature is checked against your From domain. SPF and DMARC alignment: how the Return-Path domain is checked for SPF alignment.

Ask AI about this page:ClaudeChatGPT