DMARC aspf and adkim Explained
The DMARC aspf and adkim tags control how strictly DMARC evaluates alignment between authentication domains and the visible From domain. The aspf tag applies to SPF alignment, while the adkim tag applies to DKIM alignment. In relaxed mode, subdomains can still align. In strict mode, the authenticated domain must match the From domain exactly.
One-Minute Fix
Use relaxed alignment for most setups unless you specifically need exact-domain matching across all mail flows.
v=DMARC1; p=none; aspf=r; adkim=r; rua=mailto:dmarc@example.comRelaxed alignment is the safer default for most domains because it allows subdomains and third-party senders to align more easily while you monitor reports.
Re-checkWrong vs correct setup
Wrong setup
v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:dmarc@example.comThis can be too strict for many real-world setups. If your approved senders authenticate using subdomains or separate aligned domains, strict alignment may cause legitimate mail to fail DMARC unexpectedly.
Correct setup
v=DMARC1; p=none; aspf=r; adkim=r; rua=mailto:dmarc@example.comThis is the correct starting point for most domains. Relaxed alignment makes it easier to keep legitimate mail aligned while you audit real traffic and prepare stricter enforcement later if needed.
Why this matters
Alignment settings directly affect whether SPF and DKIM results are counted as valid for DMARC. A domain can have SPF pass or DKIM pass technically, but DMARC can still fail if the authenticated domain does not align with the visible From domain according to the published alignment mode.
Why this is a problem
- Strict alignment can make legitimate mail fail DMARC unexpectedly.
- Third-party senders often authenticate with subdomains or custom sending domains.
- Misunderstanding aspf and adkim can break otherwise valid mail flows.
- Overly strict alignment can reduce deliverability before monitoring is complete.
How this affects deliverability
Mailbox providers evaluate whether SPF or DKIM aligns with the visible From domain. If you publish overly strict alignment settings before confirming how your mail actually authenticates, legitimate mail may fail DMARC and lose inbox placement.
Common causes
- Strict alignment was enabled before real mail flows were audited.
- Third-party senders use subdomains or custom DKIM signing domains.
- Teams assume SPF pass or DKIM pass automatically means DMARC pass.
- A copied DMARC template used strict settings without testing.
What we checked
We reviewed whether the DMARC record publishes aspf and adkim tags, and whether the chosen alignment mode matches the way your real mail authenticates.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
What does aspf control?
The aspf tag controls SPF alignment under DMARC. It decides how closely the SPF-authenticated domain must match the visible From domain.
What does adkim control?
The adkim tag controls DKIM alignment under DMARC. It decides how closely the DKIM signing domain must match the visible From domain.
Should I use strict alignment?
Only if you have already confirmed that all legitimate senders authenticate with the exact domains required. For most domains, relaxed alignment is the safer starting point.
Next steps
- Check whether your current DMARC record includes aspf and adkim.
- Review how SPF and DKIM authenticate for each legitimate sender.
- Use relaxed alignment while monitoring reports unless strict matching is truly required.
- Send test mail from all major providers and inspect DMARC alignment results.
- Tighten alignment only after confirming no legitimate traffic will break.
- Review the full troubleshooting guidance in the DMARC Hub.
- Explore sender authorization issues in the SPF Hub.
- Check signing and selector issues in the DKIM Hub.