When configuring your email domain's authentication settings, ensuring that emails from your domain are properly verified without causing delivery issues is crucial. Two key elements in this process are aspf (Alignment SPF) and adkim (Alignment DKIM). These settings define how strict the alignment between the sender’s domain and authentication mechanisms should be.
It's essential to recognize that if you do not specify the aspf and adkim tags in your DMARC Record, the system will default to "relaxed" mode. Keeping the relaxed mode is generally recommended, as it accommodates the way Email Service Providers (ESPs) handle SPF and DKIM alignment, particularly when multiple subdomains are in use.
Common Issues Faced:
A common challenge arises when domains use multiple subdomains for sending emails (e.g., marketing.example.com and support.example.com). In these cases, setting the alignment too strictly can lead to legitimate emails being rejected or flagged as suspicious, especially when multiple subdomains are involved. Therefore, it’s important to understand how to balance security and flexibility when configuring ASPF and ADKIM.
What is aspf?
ASPF controls how the SPF authentication system aligns the domain in the email's "From" address with the domain used in the SPF check.
Relaxed (r): The "From" domain and the SPF-checked domain must share the same base (organizational) domain, meaning subdomains are allowed. For example, mail.example.com would pass even if the email was sent from example.com.
In the example above, the return path is em1714.levon12.dmarc-11-test.online which is a subdomain of levon12.dmarc-11-test.online. Since aspf is set to relaxed the email is passing SPF alignment
Strict (s): The domains must match exactly. In this case, mail.example.com would not match example.com, and the email will fail SPF alignment, as the "From" address won't match the Return-path exactly.
The same email sent in strict mode fails SPF alignment, as the mail from and the from address don't match exactly.
Example of ASPF in Action: If your organization uses several subdomains to send emails (e.g., sales.example.com, info.example.com), setting ASPF to strict (s) could cause emails to fail SPF checks because the subdomains wouldn’t exactly match your primary domain (example.com). This may block legitimate communications from reaching their recipients.
What is adkim?
adkim determines how closely the DKIM signature domain aligns with the "From" address domain.
Relaxed (r): The DKIM signature domain and the "From" domain must belong to the same organization (i.e., subdomains are allowed).
Strict (s): The domains must match exactly.
Example of ADKIM in Action: If you’re signing emails with DKIM for subdomains (e.g., news.example.com) but the "From" address is example.com, setting ADKIM to strict (s) could cause DKIM validation failures, leading to deliverability issues.
Recommendation
In general, it’s recommended to use relaxed (r) alignment for both ASPF and ADKIM, especially if your organization sends emails from multiple subdomains. This allows flexibility while maintaining authentication integrity. However, if your domain setup is more straightforward, using strict (s) alignment can provide an additional layer of security by requiring exact domain matches. Ultimately, the choice between relaxed and strict depends on your specific needs and how your domain is structured.