Last updated: July 2026
In short: The optional
adkim=andaspf=tags dictate how strictly Domain-based Message Authentication, Reporting, and Conformance (DMARC) enforces Identifier Alignment. They determine whether underlying SPF and DKIM domains must match the visibleFromdomain exactly (strict) or if subdomains are permitted (relaxed).
For an email message to pass DMARC evaluation, it is not enough for SPF and DKIM to technically validate against any arbitrary domain. DMARC requires that at least one passing authentication mechanism matches the visible sender address displayed to the recipient (Header-From). This linkage is known as Identifier Alignment.
By configuring the adkim= (DKIM alignment) and aspf= (SPF alignment) tags, administrators specify the exact flexibility allowed when comparing these domain strings.
Protocol requirements under RFC 7489
Both alignment tags accept two operational values: r for relaxed mode and s for strict mode. If omitted from the published DNS record, DMARC automatically applies relaxed alignment (r).
According to RFC 7489, for DKIM alignment:
adkim: (plain-text; OPTIONAL; default is "r".) Indicates whether strict or relaxed DKIM Identifier Alignment mode is required by the Domain Owner.
And similarly for SPF alignment:
aspf: (plain-text; OPTIONAL; default is "r".) Indicates whether strict or relaxed SPF Identifier Alignment mode is required by the Domain Owner.
A DMARC policy record enforcing strict alignment across both mechanisms looks like this:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc-reports@example.com
Relaxed alignment (r): flexible organizational matching
In relaxed mode (r), DMARC permits organizational subdomain relationships:
- If the visible
Header-Fromaddress isuser@example.com, the domain specified in the DKIM signature (d=) or the envelope Return-Path (Mail-From) can be a subdomain such asmail.example.comorbounce.example.com. - Even though the strings are not identical character-for-character, DMARC considers alignment successful because both belong to the same organizational root domain.
Relaxed mode is the recommended standard for almost all organizations because third-party platforms (such as transactional email providers, CRM tools, and support desks) almost universally route mail through specialized bounce subdomains or dedicated DKIM subdomains.
Strict alignment (s): exact string matching
In strict mode (s), DMARC mandates an exact, character-for-character domain match:
- If an email displays
user@example.comin theFromheader, the DKIMd=tag must be exactlyexample.com, and the SPF Return-Path must terminate exactly at@example.com. - If a third-party platform signs the message using
mail.example.com, strict alignment fails immediately—even if the cryptographic signature itself is valid.
Strict alignment is typically deployed only in high-security B2B environments, government organizations, and financial institutions where administrators must prevent compromised subdomains from authenticating traffic for the root domain.
Verifying your configuration
To verify whether your current DMARC record enforces relaxed or strict alignment across your third-party sending tools, audit your domain using the free MXAudit scanner.
To explore comprehensive technical concepts and setup workflows across different hosting platforms, visit the DMARC hub and practical guides like IONOS DMARC setup.
Further reading
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC) (retrieved: July 16, 2026)