Yes, absolutely. The DMARC 'relaxed' alignment mode is specifically designed to allow a subdomain to match its parent organizational domain. This is one of the most fundamental and useful features of DMARC, providing flexibility for organizations that use multiple subdomains or third-party services to send email.
To understand why this is so important, we first need to look at what DMARC alignment is trying to achieve. It’s all about connecting the domain the user sees in the "From" address with the domains that are authenticated behind the scenes by SPF and DKIM.
By default, this alignment is set to 'relaxed', which is a setting you can control in your DMARC record using the aspf and adkim tags.
Understanding relaxed vs. strict alignment
DMARC offers two modes for checking alignment: relaxed and strict. The choice between them dictates how closely the domains in your email headers must match for DMARC to pass.
- Relaxed alignment: This is the default and most common setting. It allows a subdomain to align with its organizational, or parent, domain. For example, if an email is sent from newsletter.example.com, it will be considered aligned with the domain example.com. As AutoSPF notes, if the domains belong to the same organizational domain, alignment is considered valid.
- Strict alignment: This mode requires an exact match. An email sent from newsletter.example.com would only pass strict alignment if the authenticated domain was also exactly newsletter.example.com. It would not pass for example.com.
How relaxed alignment works in practice
The alignment check happens for both SPF and DKIM independently. For DMARC to pass, only one of them needs to authenticate and align.
SPF relaxed alignment (aspf=r)
For SPF, DMARC compares the domain in the email's "From" header with the domain used in the Return-Path (also known as the Mail From or envelope from). With relaxed alignment, the Return-Path domain (e.g., bounces.example.com) can be a subdomain of the "From" header domain (example.com) and still achieve alignment. This is crucial for many email service providers who handle bounces using their own subdomains.
DKIM relaxed alignment (adkim=r)
For DKIM, DMARC compares the "From" header domain to the domain specified in the DKIM signature's d= tag. In relaxed mode, as long as the organizational domain of the d= tag matches the organizational domain of the "From" header, it aligns. For instance, a DKIM signature with d=marketing.example.com will align for an email from sales@example.com.
Should you use relaxed or strict alignment?
For the vast majority of organizations, relaxed alignment is the correct and necessary choice. It is the default setting for a reason. Many legitimate, third-party email sending services (like Mailchimp, SendGrid, or your helpdesk software) send emails on your behalf and often use their own subdomains for SPF and DKIM authentication.
Using strict alignment would cause these emails to fail DMARC checks, leading to deliverability problems. Strict alignment is typically only used by high-security organizations that have complete control over every single service and subdomain that sends email on their behalf.
In short, relaxed alignment is a core feature that makes DMARC practical for the modern email ecosystem. It ensures your legitimate mail gets delivered while still protecting your domain from unauthorized use.
What DMARC alignment mode is stricter: 'relaxed' or 'strict'?
Which DMARC tag specifies the policy for subdomains?
Can DMARC policies be applied without an SPF or DKIM record?
What DMARC policy allows for email delivery but marks suspicious emails?
Does a DMARC 'rua' URI require 'mailto:' prefix?
Does DMARC prevent domain spoofing directly?
