Relaxed vs Strict alignment
You might have heard these terms floating about and wondered what exactly they mean and which one you should use, so let's dive in!
What is Relaxed and Strict alignment?
There are two different alignment modes that you can set in your DMARC record: Relaxed (r) and Strict (s). These alignment modes are specified with the tags aspf (for SPF) and adkim (for DKIM).
Example DMARC record:
v=DMARC1; p=reject; pct=100; rua=mailto:firstname.lastname@example.org,mailto:email@example.com; sp=none; adkim=s; aspf=r;
What’s the difference between Relaxed and Strict alignment?
Relaxed alignment is the default and means that the Return-Path domain or the domain used in the DKIM signature (d=) can be a subdomain of the “From” address. Remember, DMARC requires the domains in the Return-Path and From headers to match in order for the SPF check to pass. With Relaxed mode set, the example below would be considered a match and align:
Return-Path: <firstname.lastname@example.org> DKIM-Signature: d=postmarkapp.com From: <email@example.com>
Strict alignment means that the Return-Path domain or the domain used in the DKIM signature (d=) must be an exact match with the domain that's used in the “From” address.
Return-Path: <firstname.lastname@example.org> DKIM-Signature: d=postmarkapp.com From: <email@example.com>
Should I use Relaxed or Strict alignment?
Best practice is to have the strictest DMARC policy possible, applied to all domains and subdomains. But what's "possible" will vary based on who you're sending to and your email service providers. Something to keep in mind is that if your mail is sent by an ESP that requires a subdomain for authentication (like Postmark does for SPF), if you're using a forwarding/filtering service that re-authenticates with a different subdomain, then setting these to "strict" might not be an option to begin with. Overall, the default "relaxed" alignment for DKIM and SPF is enough to prevent delivery of mail that's not authenticated by your domain.
However, if you allocate subdomains to clients or third-party services, you might want to require strict alignment (at least for those specific subdomains). This can help ensure each entity can only send email from their specific assigned subdomain, and no one else's.