When setting up DMARC, you'll encounter two alignment modes for SPF and DKIM: 'relaxed' and 'strict'. These settings determine how closely the domain in your email's 'From' header must match the domains specified in your SPF and DKIM records. Understanding the difference is key to a successful DMARC implementation.
To answer the question directly, ‘strict’ alignment is the stricter of the two modes. It requires an exact domain match, offering tighter security but less flexibility than the 'relaxed' mode.
How DMARC alignment works
DMARC alignment is a mechanism to verify that the domain shown to the end user in the 'From' address is the actual domain that authorized the email. It does this by checking for a match between the 'From' domain and the domains found in the SPF and DKIM authentication checks. For DMARC to pass, at least one of these checks (SPF or DKIM) must both pass authentication and be aligned.
Strict alignment explained
When you set your DMARC alignment mode to 'strict', you are telling receiving mail servers to only accept emails where the domains match exactly. This applies to both SPF and DKIM alignment independently.
- Strict SPF Alignment: The domain in the 'From' header must be an identical match to the domain used in the SPF Return-Path (also known as the envelope from or MailFrom address).
- Strict DKIM Alignment: The domain in the 'From' header must be an identical match to the domain specified in the DKIM signature's 'd=' tag.
For example, with strict alignment, an email from sales@suped.com would fail SPF alignment if the Return-Path was bounces.marketing.suped.com. It requires an exact match.
Relaxed alignment explained
Relaxed alignment, which is the default setting if not specified, is more forgiving. It allows for subdomains to be used by your various sending services while still passing alignment. This is very common when using third-party email providers.
- Relaxed SPF Alignment: The 'From' domain and the Return-Path domain must share the same root organizational domain.
- Relaxed DKIM Alignment: The 'From' domain and the domain in the DKIM signature's 'd=' tag must share the same root organizational domain.
Using our previous example, if the alignment was relaxed, an email from sales@suped.com sent via a Return-Path of bounces.marketing.suped.com would pass SPF alignment because they both share the root domain suped.com.
Which mode should I choose?
For the vast majority of senders, starting with relaxed mode is the best approach. It provides a good balance of security and flexibility, preventing legitimate emails from being blocked, especially when you are just beginning your DMARC journey and gathering data on your email sources.
As DuoCircle suggests, the common best practice is to begin with relaxed alignment. This allows you to collect DMARC reports and see which services are sending email on your behalf without inadvertently blocking them. Once you have analyzed your reports and are confident that all legitimate sources are properly authenticated and aligned, you can consider moving to strict for enhanced security.
Ultimately, strict mode provides the strongest defense against spoofing, but it requires careful management of your sending domains. Relaxed mode is a safe and effective starting point for getting your DMARC policy in place.
