Skip to content
Authentication

SPF alignment: how SPF and DMARC work together

DMARC only accepts an SPF pass when the envelope domain matches the visible From domain. What alignment means, why ESPs break it, and how to fix it.

SPF alignment is the DMARC rule that connects an SPF result to the address a human actually sees. SPF validates the envelope sender domain (Return-Path), while recipients see the From header, and nothing in SPF itself requires the two to match. DMARC adds that requirement: an SPF pass only counts toward DMARC if the envelope domain aligns with the From domain. Misunderstanding this single rule produces the most common confusion in email authentication: mail that passes SPF and still fails DMARC.

Two senders in every message

Every email carries two sender identities. The envelope sender (MAIL FROM in the SMTP transaction, recorded as Return-Path) is where bounces go and is what SPF evaluates. The From header is what mail clients display. They legitimately differ all the time: bounce handling systems, ESPs with their own bounce processing, and mailing lists all set envelope senders on their own domains while the From header carries yours.

That gap is exactly what spammers exploited for years: pass SPF using a domain they own in the envelope, display your domain in the From header. SPF works as designed in that scenario and protects nothing the recipient can see. DMARC closes the gap by demanding alignment between the authenticated domain and the displayed one.

Relaxed and strict alignment

DMARC's aspf tag sets the comparison mode. Relaxed (aspf=r, the default) requires the two domains to share an organizational domain: bounce.mail.example.com aligns with example.com. Strict (aspf=s) requires an exact match: only example.com aligns with example.com. Relaxed is correct for nearly everyone, because production setups routinely use bounce subdomains, and strict alignment breaks them for no practical security gain in most threat models.

Alignment worked examples (relaxed mode)
1From: news@example.com
2
3Return-Path: bounce@example.com          aligned (same domain)
4Return-Path: b-123@mail.example.com      aligned (same org domain)
5Return-Path: bounce@esp-platform.com     NOT aligned (different org domain)
6Return-Path: b-123@em.esp-platform.com   NOT aligned
7
8SPF can pass in all four cases. Only the first two help DMARC.

Why ESP defaults fail alignment

Out of the box, most ESPs and transactional providers use an envelope sender on their own platform domain so their systems can process your bounces. SPF passes, for their domain, and contributes nothing to your DMARC. The fix every serious platform offers is a custom bounce domain (also sold as custom Return-Path or domain authentication): a subdomain of yours, delegated to the provider, used as the envelope sender. After that, SPF passes for a domain that aligns with your From header.

Forwarding: where aligned SPF dies

When a message is forwarded, the forwarder retransmits it from their own servers. Your SPF record does not authorize those servers, so SPF fails (or the forwarder rewrites the envelope sender to their own domain, and SPF passes without alignment). Either way, aligned SPF is gone. This is inherent to how SPF works, and no record edit fixes it.

The consequence for DMARC strategy: never build enforcement on SPF alone. DMARC passes if either mechanism produces an aligned pass, and DKIM signatures travel inside the message, surviving normal forwarding. Aligned DKIM on every stream is the resilient leg; aligned SPF is the second witness that covers DKIM's own failure modes, like broken signatures after key rotation mistakes.

Getting to aligned SPF, stream by stream

Alignment checklist per sending service

  1. 1

    Find the current envelope domain

    Send a test message and read Return-Path and Authentication-Results from the received headers.

  2. 2

    Configure the custom bounce domain

    Enable the provider's custom Return-Path feature with a subdomain like mail.example.com or bounce.example.com, publishing the DNS they specify.

  3. 3

    Publish SPF at that subdomain

    The subdomain needs its own SPF record authorizing the provider, usually one include, since records do not inherit from the parent domain.

  4. 4

    Verify in DMARC aggregate reports

    The source should show spf=pass with policy_evaluated alignment passing. Reports are the proof that the fix took.

For the fundamentals of how SPF itself evaluates, see the SPF overview; for placing records on subdomains correctly, the record syntax entry covers scope and placement rules.

Frequently asked questions

My mail passes SPF but fails DMARC. Why?
Almost always alignment: SPF passed for a vendor's envelope domain that does not share your From domain's organizational domain. Configure a custom bounce domain on the sending platform, or ensure aligned DKIM carries the DMARC pass.
Should I set aspf=s (strict alignment)?
Rarely. Strict mode breaks the standard bounce-subdomain pattern and adds little security for most senders. Relaxed alignment with well-managed subdomains is the production norm.
Does alignment matter if I have aligned DKIM everywhere?
DMARC is satisfied by one aligned mechanism, so aligned DKIM alone passes. Aligned SPF remains worth configuring as redundancy: DKIM breaks in its own ways (key rotation errors, content-rewriting gateways), and two witnesses beat one.
What is SPF alignment's relationship to the HELO domain?
When the envelope sender is empty, as in bounce messages, receivers evaluate SPF against the HELO hostname instead. DMARC alignment then compares that hostname's domain, which is one more reason sending hosts should HELO with a name under your organizational domain.

Key takeaways

  • SPF validates the envelope sender; DMARC only counts the pass if that domain aligns with the visible From domain
  • Relaxed alignment (the default) accepts any subdomain of the organizational domain and is right for nearly everyone
  • ESP default envelope domains pass SPF without alignment; custom bounce domains are the standard fix
  • Forwarding destroys aligned SPF by design, which is why DKIM must carry DMARC resilience
  • Verify alignment in DMARC aggregate reports, not by assuming: spf=pass for someone else's domain helps nothing