Last updated: July 2026

In short: The optional adkim= and aspf= tags dictate how strictly Domain-based Message Authentication, Reporting, and Conformance (DMARC) enforces Identifier Alignment. They determine whether underlying SPF and DKIM domains must match the visible From domain exactly (strict) or if subdomains are permitted (relaxed).

For an email message to pass DMARC evaluation, it is not enough for SPF and DKIM to technically validate against any arbitrary domain. DMARC requires that at least one passing authentication mechanism matches the visible sender address displayed to the recipient (Header-From). This linkage is known as Identifier Alignment.

By configuring the adkim= (DKIM alignment) and aspf= (SPF alignment) tags, administrators specify the exact flexibility allowed when comparing these domain strings.

Protocol requirements under RFC 7489

Both alignment tags accept two operational values: r for relaxed mode and s for strict mode. If omitted from the published DNS record, DMARC automatically applies relaxed alignment (r).

According to RFC 7489, for DKIM alignment: adkim: (plain-text; OPTIONAL; default is "r".) Indicates whether strict or relaxed DKIM Identifier Alignment mode is required by the Domain Owner.

And similarly for SPF alignment: aspf: (plain-text; OPTIONAL; default is "r".) Indicates whether strict or relaxed SPF Identifier Alignment mode is required by the Domain Owner.

A DMARC policy record enforcing strict alignment across both mechanisms looks like this:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc-reports@example.com

Relaxed alignment (r): flexible organizational matching

In relaxed mode (r), DMARC permits organizational subdomain relationships:

  • If the visible Header-From address is user@example.com, the domain specified in the DKIM signature (d=) or the envelope Return-Path (Mail-From) can be a subdomain such as mail.example.com or bounce.example.com.
  • Even though the strings are not identical character-for-character, DMARC considers alignment successful because both belong to the same organizational root domain.

Relaxed mode is the recommended standard for almost all organizations because third-party platforms (such as transactional email providers, CRM tools, and support desks) almost universally route mail through specialized bounce subdomains or dedicated DKIM subdomains.

Strict alignment (s): exact string matching

In strict mode (s), DMARC mandates an exact, character-for-character domain match:

  • If an email displays user@example.com in the From header, the DKIM d= tag must be exactly example.com, and the SPF Return-Path must terminate exactly at @example.com.
  • If a third-party platform signs the message using mail.example.com, strict alignment fails immediately—even if the cryptographic signature itself is valid.

Strict alignment is typically deployed only in high-security B2B environments, government organizations, and financial institutions where administrators must prevent compromised subdomains from authenticating traffic for the root domain.

Verifying your configuration

To verify whether your current DMARC record enforces relaxed or strict alignment across your third-party sending tools, audit your domain using the free MXAudit scanner.

To explore comprehensive technical concepts and setup workflows across different hosting platforms, visit the DMARC hub and practical guides like IONOS DMARC setup.

Further reading