What are Mail.ru's DMARC, SPF, and DKIM alignment requirements?
Matthew Whittaker
Co-founder & CTO, Suped
Published 6 May 2025
Updated 19 Aug 2025
9 min read
Email authentication protocols like DMARC, SPF, and DKIM are crucial for ensuring deliverability and protecting your domain from abuse. While many email service providers (ESPs) have their own nuanced requirements, some, like Mail.ru, are increasingly tightening their policies, making strict alignment a non-negotiable for successful inbox placement. My clients have recently encountered blocks due to lacking proper DMARC alignment when sending to Mail.ru recipients. This highlights a growing trend among major mailbox providers to enforce stricter email authentication standards, often going beyond the basic requirements.
Understanding these specific alignment rules is essential to avoid deliverability issues. Without proper configuration, your legitimate emails could easily be flagged as spam or rejected entirely, impacting your communication and reputation. We will delve into what Mail.ru specifically requires for SPF, DKIM, and DMARC alignment, and how you can ensure your email infrastructure meets these evolving demands.
The importance of email authentication and alignment
At its core, email authentication involves SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). SPF allows domain owners to specify which mail servers are authorized to send email on their behalf, while DKIM provides a cryptographic signature that verifies the sender and ensures message integrity. DMARC builds upon these two, instructing receiving servers how to handle emails that fail SPF or DKIM checks, and providing reporting back to the domain owner.
Alignment is a critical concept within DMARC. It means that the domain used in the "From" header of an email (the one your recipients see) must match the domain verified by either SPF or DKIM. Without alignment, even if SPF or DKIM pass their respective checks, the DMARC authentication can still fail, leading to messages being blocked or sent to spam folders. This is often why emails go to spam, which results in DMARC, SPF, and DKIM alignment failures.
There are two types of alignment: relaxed and strict. Relaxed alignment allows subdomains to pass if they share the same organizational domain as the "From" header. Strict alignment requires an exact match between the domains. Mailbox providers often decide which level of alignment they enforce, or they might recommend strict alignment for better deliverability.
It's important to understand the basics of these protocols to ensure your emails are delivered correctly. The National Institute of Standards and Technology (NIST) provides a detailed overview of these email authentication mechanisms, which can be a useful reference.
Mail.ru's SPF and DKIM alignment requirements
Mail.ru's postmaster guidelines state that "To successfully pass the check, a valid SPF record or DKIM signature is required. In this case, the domains from From, envelope-from and the 'd' tag in the DKIM signature must match." This statement from Mail.ru indicates a clear emphasis on alignment for both SPF and DKIM. While it uses the word "or" for passing either SPF or DKIM, the subsequent sentence specifies that the domains for both must match for successful checks.
Specifically, this means:
SPF alignment: The domain in the "From" header (RFC5322.From) must align with the domain found in the "Envelope-From" (also known as Return-Path or MailFrom) header. This is often referred to as SPF identifier alignment.
DKIM alignment: The domain in the "From" header (RFC5322.From) must align with the "d=" tag (signing domain) in the DKIM signature. This is DKIM identifier alignment.
While the phrasing "a valid SPF record or DKIM signature is required" might suggest only one needs to pass, the subsequent emphasis on both domains needing to match implies that both SPF and DKIM alignment are effectively required to avoid issues. This is a stricter stance than some other providers, like Gmail and Yahoo, which mandate DMARC authentication with at least one of SPF or DKIM aligning.
Steps to implement and ensure alignment
To ensure your emails pass Mail.ru's checks, you need to configure your DNS records correctly for SPF, DKIM, and DMARC. This is foundational to maintaining your email sending reputation and avoiding being placed on a blacklist or blocklist (or sometimes, simply blocked).
Configuring SPF for alignment
Your SPF record should include all IP addresses and third-party sending services (ESPs) authorized to send email on behalf of your domain. Crucially, the domain in your SPF record should be the same as the Envelope-From domain. For alignment with Mail.ru, this Envelope-From domain must also match your visible From header domain.
Remember, the "~all" mechanism is generally recommended over "-all" for initial setup to avoid hard failures, but for strict compliance and protection, a "-all" policy may be desirable once confident in your SPF setup.
Setting up DKIM for alignment
DKIM involves adding a DNS TXT record with a public key. When an email is sent, the sending server signs it with a private key, and the receiving server uses your public key (from your DNS record) to verify the signature. For Mail.ru's requirements, the "d=" tag in your DKIM signature must match your From header domain. This is essential for DKIM alignment.
While Mail.ru states that SPF or DKIM is required, the underlying DMARC protocol is what enforces the alignment requirement. Your DMARC record should be set up with a policy (p=none, p=quarantine, or p=reject) and ideally with reporting addresses (rua, ruf) to monitor authentication results. This allows you to gain insights into your email traffic and identify any authentication failures, including alignment issues. You can use a DMARC record generator to create this record.
The aspf and adkim tags in the DMARC record specify the alignment mode (strict 's' or relaxed 'r') for SPF and DKIM respectively. For Mail.ru, setting these to strict ('s') is highly recommended to ensure compliance.
Troubleshooting and maintaining deliverability
Even with correct DNS records, alignment issues can arise due to various factors. It's crucial to regularly monitor your DMARC reports to catch these problems early. These reports provide valuable data on how receiving servers are processing your emails and whether they are passing authentication checks, including alignment.
Common reasons for DMARC alignment failures include:
Third-party senders: If you use an ESP or marketing platform, they might send emails on a subdomain or use their own sending domain, which can break alignment. Ensure they offer a way to send emails using your root domain, or that their setup adheres to DMARC alignment best practices.
Forwarding: Email forwarding can sometimes break SPF, as the email is no longer coming directly from the original authorized IP. DKIM is generally more resilient to forwarding.
DNS issues: Incorrectly configured DNS records, typos, or stale records can lead to authentication failures.
Regularly checking your DMARC reports is the most effective way to identify and troubleshoot these issues. Tools that parse DMARC XML reports into human-readable formats are invaluable for this purpose.
The problem
Mail.ru requires SPF or DKIM to pass, but their documentation also says that domains must match from header, envelope-from and the d-tag of the DKIM signature.
Using third-party sending services (ESPs) that do not support DMARC alignment for your domain. This can lead to your emails being marked as spam or blocked by providers like Mail.ru.
The solution
Configure both SPF and DKIM with strict alignment. Ensure your Envelope-From domain matches your From header domain for SPF, and your DKIM "d=" tag matches your From header domain for DKIM.
Choose ESPs that allow you to configure custom return-path domains (for SPF alignment) and sign emails with your own domain (for DKIM alignment). If not, consider using a subdomain for sending or a different ESP.
Beyond technical configurations, maintaining a good sending reputation is paramount. This involves consistent email volume, low spam complaint rates, and avoiding common blocklists. You can use a blocklist checker to see if your domain or IP is listed on any major blacklists (also known as blocklists).
Warning: The implications of non-compliance
If your emails consistently fail to meet Mail.ru's authentication and alignment requirements, they are highly likely to be rejected or quarantined. This means your messages will not reach your intended recipients, leading to significant deliverability issues and a damaged sender reputation. It's not just about getting on a general blacklist, but about specific receiving domains like Mail.ru having their own, stricter internal policies.
Views from the trenches
Best practices
Ensure your SPF, DKIM, and DMARC records are correctly published in DNS with strict alignment for all domains.
Regularly monitor DMARC reports to identify authentication failures and address them promptly.
Choose third-party email service providers that fully support DMARC alignment for your custom domain.
Common pitfalls
Ignoring Mail.ru's specific requirement for domain alignment across all authentication standards.
Assuming relaxed DMARC alignment is sufficient for all mailbox providers.
Not configuring DMARC reporting, missing critical insights into email authentication failures.
Expert tips
For Mail.ru, even if the SPF or DKIM passes, DMARC will fail unless the domains align.
The Russian translation for Mail.ru's requirements might be causing some confusion, but their intent for alignment is clear.
Mail.ru's tightening of rules is similar to recent changes by Google and Yahoo, indicating a broader industry trend.
Expert view
Expert from Email Geeks says that DMARC alignment is now being required by Mail.ru, and a client was recently blocked for not having it.
2024-09-18 - Email Geeks
Expert view
Expert from Email Geeks notes that Mail.ru's exact statement, translated from Russian, is: "To successfully pass the check, a valid SPF record or DKIM signature is required. In this case, the domains from From, envelope-from and the 'd' tag in the DKIM signature must match."
2024-09-18 - Email Geeks
Adhering to strict authentication for Mail.ru
Mail.ru's requirements for DMARC, SPF, and DKIM alignment reflect a broader industry push towards stronger email authentication. While their documentation might appear to offer an "or" choice between SPF and DKIM passing, the critical detail lies in the subsequent demand for domain alignment across all relevant headers. To ensure your emails reach Mail.ru inboxes, prioritize strict SPF and DKIM alignment, alongside a robust DMARC policy with reporting.
Proactive monitoring of your email authentication results and swift remediation of any failures will be key to maintaining high deliverability. By adhering to these standards, you not only ensure your messages are delivered but also protect your domain from impersonation and build trust with recipients, bolstering your overall email marketing success and preventing your messages from landing on a common blocklist (or blacklist).
Mail.ru.
