Summary
The broad consensus is that DMARC will fail if the SPF record is only on a subdomain while using `aspf=s` (strict alignment), because `aspf=s` requires an exact match between the SPF-authenticated domain (MAIL FROM) and the domain in the `From` header. SPF records do not inherently cover subdomains. However, DMARC can still pass if DKIM authentication succeeds. Using `aspf=r` (relaxed alignment) is an alternative if exact domain matching is not feasible, but understand that both SPF and DKIM need to fail for DMARC policy to take effect.
Key findings
- Strict Alignment Requirement: `aspf=s` mandates a precise match between SPF-authenticated domain and the From header domain.
- Subdomain SPF Failure: SPF record on a subdomain will cause SPF authentication to fail with `aspf=s` when the From header uses the parent domain.
- DKIM Fallback: DMARC uses DKIM if SPF fails; DMARC passes if DKIM passes.
- SPF Record Scope: SPF records don't cover subdomains by default; each subdomain needs its SPF record.
- Alternative: `aspf=r` may be used if the same domain cannot be used in the header from and return path.
Key considerations
- SPF Configuration: Ensure SPF records are appropriately configured for the domain used in the From header.
- DKIM Implementation: Implement and correctly configure DKIM as a backup authentication method.
- DMARC Policy: Understand your DMARC policy and how it will be enforced when both SPF and DKIM fail.
- Alignment Mode: Carefully select the appropriate alignment mode (`aspf=s` vs. `aspf=r`) based on your domain setup and security needs.
- Effort: Acknowledge that effort may be needed to have the same domain in your From: header and your return path.
What email marketers say
8 marketer opinions
The consensus is that DMARC will fail with `aspf=s` if the SPF record is only on a subdomain and the `From` header uses the parent domain. This is because `aspf=s` (strict alignment) requires an exact match between the SPF authenticated domain and the domain in the `From` header. However, DMARC can still pass if DKIM passes, even if SPF fails.
Key opinions
- Strict Alignment: `aspf=s` mandates a precise match between the SPF-authenticated domain and the domain in the `From` header.
- Subdomain SPF Failure: If the SPF record exists only on a subdomain, it will not satisfy DMARC's strict alignment requirements when the `From` header uses the parent domain.
- DKIM as Backup: DMARC only requires either SPF or DKIM to pass. A passing DKIM check can compensate for a failing SPF check.
- SPF Record Scope: SPF records do not inherently cover subdomains; each subdomain typically needs its own SPF record.
Key considerations
- SPF Record Placement: Ensure SPF records are appropriately configured for the domain used in the `From` header, not just subdomains if using `aspf=s`.
- DKIM Configuration: Implement and properly configure DKIM as a backup authentication method to increase the likelihood of DMARC compliance, even if SPF fails.
- Alignment Mode: Consider using `aspf=r` (relaxed alignment) if SPF records are primarily on subdomains, but be aware of the security implications.
- DMARC Policy Impact: Understand that DMARC policy will be enforced if both SPF and DKIM checks fail, potentially impacting email deliverability.
Marketer view
Email marketer from StackOverflow answers that SPF records do not cover subdomains by default. Each subdomain needs its own SPF record. Therefore, relying on a subdomain's SPF record for DMARC alignment with a parent domain in the `From` header would fail with `aspf=s`.
9 Nov 2022 - StackOverflow
Marketer view
Marketer from Email Geeks answers no to the original question.
28 Apr 2022 - Email Geeks
What the experts say
2 expert opinions
These experts highlight that if the SPF record is on a subdomain while using `aspf=s`, it will likely fail SPF authentication. In such cases, DMARC relies on DKIM; if DKIM also fails, the DMARC policy is enforced, potentially affecting email deliverability. Using `aspf=r` is an alternative when the same domain cannot be used in both the From header and the return path.
Key opinions
- SPF Failure: Using a subdomain for SPF with `aspf=s` will cause SPF authentication to fail.
- DKIM Dependency: DMARC falls back to DKIM if SPF fails.
- DMARC Policy: If both SPF and DKIM fail, the DMARC policy will be applied, which may impact deliverability.
- Alternative Alignment: Using `aspf=r` is recommended when the same domain can’t be in both the From header and return-path.
Key considerations
- Return Path Consistency: Consider the effort involved in aligning the From header and return path domains for `aspf=s`.
- DKIM Implementation: Ensure DKIM is correctly implemented as a backup authentication method.
- Deliverability Impact: Be aware that failing both SPF and DKIM can negatively affect email deliverability.
- Policy Implications: Understand and configure your DMARC policy to handle authentication failures appropriately.
Expert view
Expert from Word to the Wise explains that if SPF fails (which it will with a subdomain and `aspf=s`), DMARC will check for DKIM. If DKIM also fails, the DMARC policy will be applied, potentially leading to deliverability issues.
8 Feb 2023 - Word to the Wise
Expert view
Expert from Email Geeks explains that unless you go to the (significant) effort to have the same domain in your From: header and your return path `aspf=r` is what you want, and that there’s not really any downside to it.
4 May 2024 - Email Geeks
What the documentation says
3 technical articles
The documentation consistently states that DMARC will fail with `aspf=s` if the SPF record is on a subdomain and the `From` header uses the parent domain. This is because `aspf=s` (strict alignment) mandates an exact match between the domain used for SPF authentication (MAIL FROM) and the domain in the `From` header. When the SPF record is on a subdomain, it doesn't satisfy this requirement. `aspf=r` is suggested as an alternative.
Key findings
- Strict Alignment Failure: `aspf=s` requires an exact domain match between MAIL FROM and the From header.
- Subdomain Incompatibility: SPF record on a subdomain will not satisfy DMARC `aspf=s` if the From header uses the parent domain.
- Alternative Recommendation: `aspf=r` is recommended as a more flexible alternative.
Key considerations
- Domain Alignment: Ensure the domain used for SPF authentication matches the domain in the From header when using `aspf=s`.
- Policy Selection: Consider the implications of strict vs. relaxed alignment based on your domain and subdomain setup.
- Authentication Scope: Understand that SPF checks are specific to the domain on which they are configured and do not inherently apply to parent domains.
Technical article
Documentation from Valimail.com clarifies that with strict SPF alignment (`aspf=s`), the SPF authenticated domain must exactly match the domain in the `From` header. Therefore, SPF passing on a subdomain will not satisfy DMARC if the `From` header uses the parent domain.
27 Apr 2024 - Valimail.com
Technical article
Documentation from AuthSMTP explains that with `aspf=s` any subdomain will fail, and that `aspf=r` is generally used instead.
18 May 2025 - AuthSMTP.com
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need to set up DMARC for subdomains?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How do DMARC records on subdomains override root domain DMARC policies?
How do I set up DMARC records for subdomains?
