When setting up your email domain's authentication, it’s important to ensure that messages are correctly verified without disrupting email delivery. Two critical components in this setup are aspf (SPF alignment) and adkim (DKIM alignment). These parameters determine how strictly the sender’s domain must align with the domains used in SPF and DKIM checks.
If you don’t explicitly define the aspf and adkim tags in your DMARC record, the system will default to a "relaxed" alignment mode. This default setting is usually recommended, as it offers greater flexibility and is more compatible with how Email Service Providers (ESPs) manage authentication across subdomains.
Common Issues Faced:
A common challenge occurs when organizations send emails from multiple subdomains (e.g., marketing.example.com and support.example.com). In such scenarios, applying strict alignment settings can cause legitimate emails to be flagged or rejected, particularly when various subdomains are in use. As a result, it’s crucial to strike the right balance between security and flexibility when configuring aspf and adkim in your DMARC policy.
What is aspf?
ASPF (SPF Alignment) determines how strictly the domain in the "From" address must match the domain used in the SPF check:
Relaxed (r): Allows subdomain alignment. The "From" domain and the SPF domain only need to share the same base domain (e.g., mail.example.com aligns with example.com). This is useful when multiple subdomains are used for sending.
Strict (s): Requires an exact domain match. Subdomains like mail.example.com would not align with example.com, causing SPF to fail.
Using relaxed mode is generally safer for organizations using multiple subdomains, while strict mode enforces tighter security but risks rejecting legitimate emails.
What is adkim?
ADKIM (DKIM Alignment) controls how strictly the DKIM signature domain must match the "From" address domain:
Relaxed (r): Allows subdomain alignment—DKIM can pass if the signature domain is a subdomain of the "From" domain.
Strict (s): Requires an exact match between the DKIM signature domain and the "From" address domain.
Relaxed is more flexible and suitable when using subdomains for signing, while strict enforces tighter control but may cause deliverability issues if subdomains are used.
Recommendation on when to use strict alignment
1. Strict alignment for both SPF and DKIM is suitable when you have a dedicated server and it is the sole source of your outbound email.
2. Strict alignment for both SPF and DKIM is recommended when using sources that can only be configured at the root domain level and not for subdomains.
3. You can use strict alignment for both SPF and DKIM on parked domains to ensure maximum security. In this case, it's also recommended that the DMARC policy be set to 100% reject to protect the domain from abuse fully.
4. You can use strict alignment for both SPF and DKIM for high-value or sensitive domains (e.g, financial, government, healthcare domains), which in this case generally, these type of sources use dedicated infrastructure to send their outbound emails.