Close this search box.

What strategy should you adopt to align your domains with DMARC?

Following the ads from Google and Yahoo reinforce authentication checks on senders sending more than 5,000 emails a day, DMARC (via domain alignment) is becoming a must-have standard... And the numerous alerts and articles that are springing up all over the place on various blogs/social networks won't tell me otherwise! We've even made a Youtube Live on the subject :p

In addition to meeting to the demands of Google and YahooCompanies should be focusing on securing their domains and sub-domains. Unfortunately, during my audits, I still make far too many recommendations on the settings and implementation of authentication (be it SPF, DKIM see DMARC). So it's hardly surprising that ISPs and Webmails are tightening up their filtering rules to further secure and filter e-mails received by their users!

Implement DMARC is great! But behind this implementation, there's a real strategy to be put in place for authentication. SPF and DKIM but also on domain alignment. In this article, I'll show you the importance of aligning your domains with DMARC in order to make them more secure, to be better perceived by your users (at least the most seasoned ones) and also to avoid the Google / Yahoo headache, at least if their ads give you the creeps...

What is domain alignment with DMARC?

DMARC compliance reminder

The rule is simple for DMARC to apply: For comply with DMARCan e-mail must have at least its SPF registration valid and aligned or its DKIM record valid and aligned with the domain used as the sender. By alignment, we mean that the domain signed with SPF or DKIM corresponds to the sender domain! It can be identical or part of the same tree. But DMARC goes even further in domain protection, allowing 2 alignment modes to be applied to SPF and DKIMrelaxed" or "strict".

Relaxed" or "flexible" alignment

The "relaxed" alignment is the default alignment proposed if no alignment is specifically declared in theDMARC registration. The management of this alignment is different between SPF and DKIM Since the checks will not be carried out in the same place, here are the different possible scenarios:

All in all, this alignment mode offers real flexibility when it comes to configuring authentication, particularly for SPF, where some routers require delegation of a specific sub-domain for MailFrom domain configuration.

Strict" alignment

Strict" alignment is the safest alignment for a configuration. To be active, it must be clearly specified in theDMARC registration.

Strict" alignment management differs between SPF and DKIM Since the checks will not be carried out in the same place, here are the different possible scenarios:

AuthenticationDeclarationRelaxed / Souple alignment
SPFaspf=sThe MailFrom domain must be identical to the sender domain.
DKIMadkim=sThe domain signed with DKIM (field d=) must be identical to the sender domain.

This "strict" alignment is ideal for really securing your domain name or even your router configuration (as long as all domains are identical - as with Engage (cf. Marigold / ex-Selligent)).

Some examples of alignment and their results with SPF

Here are the different configurations that can be found with SPF alignments:

From domainMailFrom / Envelope domainFlexible alignmentStrict alignment

We finally realize that only the last 2 examples would trigger the DMARC security policy, as the domains used in From ( / MailFrom (or Envelope Sender) ( / are totally different.

Some examples of DKIM alignment and results

Here are the different configurations that can be found with DKIM alignments:

From domainSigned domain (d=)Result AlignmentFlexibleStrict
badsender.combadsender.frNot alignedNoNo
badsender.combf1.hubspot.comNot alignedNoNo

We finally realize that only the last 2 examples would trigger the DMARC security policy, as the domains used and signed with DKIM ( and are totally different from the sending domain (

What strategy should you adopt to align your domains?

Please note that DMARC works on an "inheritance" basis, i.e. if your DMARC record is published on your main domain, sub-domains will inherit the same record (unless they have their own DMARC registration).

Before asking yourself what type of alignment to adopt, start by carrying out a complete audit of all the domains you use (main domains and sub-domains), to find out what settings are in place and what platforms you use. This will make it easier for you to know which strategy to adopt: DMARC management by inheritance (which may not be so simple in the end if you have a lot of sub-domains to manage with different usage strategies) or by sender domain (which can be time-consuming but offers greater flexibility if you wish to manage different security policies or different alignments between your sub-domains).

Need help?

Reading content isn't everything. The best way is to talk to us.

In the 3 scenarios below, we're going to use DMARC management per sender domain. This will be useful if you use many sub-domains on different platforms.

Case study n°1: The Must Have! Apply a "Strict" alignment

With this configuration in STRICT alignment (reminder : aspf=s and adkim=s), your e-mail flows will be as secure as possible. On the other hand, as far as domain settings are concerned, the domain signed with SPF and the domain signed with DKIM must be exactly the same as the sending domain. So make sure everything's ok before you get involved 😉

Personally, this is the option I recommend, as long as you use one sender domain for one tool (you avoid sharing a domain across several routing platforms).

Case study 2: The Nice to Have! Alternating "Relaxed" and "Strict" alignments

With this intermediate configuration (which I'm seeing more and more), we opt for a "relaxed" alignment with SPF (aspf=r) and "strict" alignment with DKIM (adkim=s). It's good here when you're on shared IP(s) (since you'll generally be using a generic router domain as the MailFrom domain) and you sign the sender domain with the router's DKIM key.

It's a good compromise when you're not using dedicated IP(s)!

Case study 3: The default configuration! Apply a "Released" alignment

If you don't want to bother with domain alignment, opt for the default configuration (which is "relaxed" for SPF and DKIM). Here, you don't even need to declare them in your registration, so this will be the default. Make sure, however, that DKIM is signed with the sending domain or a domain in the same tree to validate DMARC, otherwise the rule defined in "p" (or "sp") will apply.

DMARC configuration and alignment examples

I have analyzed and listed below 3 newsletters received in my personal mailbox:

Example 1: Qonto

  • From domain :
  • SPF domain : '' SPF valid with flexible alignment
  • DKIM domain : '' DKIM valid with flexible alignment
  • Dmarc record: v=DMARC1; p=reject;

For the Qonto e-mail, the DMARC security rule will not apply since SPF and DKIM are valid and aligned with the sender's domain 🙂

Example 2: Chilowé

  • From domain :
  • SPF domain : '' SPF valid but not aligned with From domain
  • DKIM domain : '' DKIM valid with Strict alignment
  • DMARC domain : v=DMARC1; p=none

For Chilowe's e-mail, the DMARC security rule won't apply since DKIM is valid and aligned with the sender's domain 🙂 Too bad DMARC reports aren't tracked, though!

Example 3: NFL International

  • From domain :
  • SPF domain : '' Valid SPF with Strict alignment
  • DKIM domain : '' DKIM valid with Strict alignment
  • DMARC domain : No DMARC record!

For the NFL International e-mail, even if SPF and DKIM are valid and aligned with the sender's domain, the fact that no DMARC record is present on the domain is likely to titillate Google and Yahoo next February... Unless they fix it before then 😉

To conclude on domain alignment with DMARC

In my opinion, there is no difficulty in aligning at least one of these domains with DMARC (the easiest being DKIM if your routing platform provides you with a key of course - which is not yet the case with some platforms in 2023 and even 2024 now!). But as I often say... One is good, but 2 is better!

Small disclamer Don't forget that an unprotected domain is a vulnerable domain (and therefore an easy target for hackers), so whether you're using a new platform or migrating to one, remember to set your default e-mail authentication settings: SPFDKIM and DMARC.

– – – – –

To find out more about SPF, DKIM and DMARC configurations, please see our dedicated articles :
What is SPF? Configuration, verification and monitoring
What is DKIM? Configuration, verification and monitoring
DMARC: Why and how to deploy it?

The author

Laisser un commentaire

Your email address will not be published. Les champs obligatoires sont indiqués avec *