Will DMARC pass if SPF is on a subdomain?

It depends on the DMARC SPF alignment mode ( aspf tag). If aspf=s (strict), SPF alignment will fail if the SPF record is on a subdomain and the From: header is the main domain. If aspf=r (relaxed), SPF alignment will pass if the subdomain shares the same organizational domain as the From: header.

If SPF alignment fails, will DMARC still pass?

While SPF alignment might fail with aspf=s , DMARC only requires one of SPF or DKIM to pass and align. If your DKIM signature is valid and its signing domain aligns with your From: header, DMARC will still pass. It is crucial to set up both SPF and DKIM correctly.

What is the recommended SPF alignment mode for DMARC?

For most use cases, aspf=r (relaxed alignment) is recommended. This provides flexibility, allowing SPF to align even if the Return-Path uses a subdomain of your main domain. Strict alignment ( aspf=s ) is generally only appropriate when the Return-Path domain will always exactly match the From: header domain.

Will DMARC pass with aspf=s if SPF record is on a subdomain? - Technical - Email deliverability - Knowledge base

Q: Do subdomains need their own DMARC records?

While SPF records for subdomains are typically managed by the sending service or platform, you don't necessarily need a separate DMARC record for every subdomain if your main domain's DMARC record includes the sp tag. However, publishing explicit DMARC records on subdomains allows for specific policies to override the main domain's policy.

The question of whether DMARC will pass when your SPF record is on a subdomain and your DMARC record specifies aspf=s (strict SPF alignment) is a common one. It touches upon crucial aspects of email authentication, particularly how Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) work together to verify email legitimacy. Understanding this interaction is key to ensuring your emails reach their intended inboxes and avoid falling into spam folders or being rejected outright.

The short answer is typically no, DMARC will not pass if your DMARC record specifies aspf=s and your SPF record is on a different subdomain than the organizational domain of your From: header. However, there are nuances and other factors, such as DKIM alignment, that can influence the final DMARC result. I'll delve into the specifics of why this happens and what you can do to ensure your email authentication is correctly configured.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DMARC and SPF alignment

DMARC leverages two underlying email authentication protocols: SPF and DKIM. For a DMARC check to pass, at least one of these protocols must not only authenticate the email but also achieve alignment with the domain in the RFC5322.From header (the domain visible to the recipient). This alignment is where the complexity arises, especially when dealing with subdomains.

SPF authentication checks if an email originated from an IP address authorized by the sending domain's SPF record. The domain checked for SPF is typically the Return-Path domain (also known as the Mail From or Envelope From domain). For SPF alignment, DMARC compares this Return-Path domain with the RFC5322.From domain.

DKIM, on the other hand, uses cryptographic signatures to verify that an email has not been tampered with and was sent by an authorized sender. DKIM alignment compares the DKIM signing domain (the d= tag in the DKIM signature) with the RFC5322.From domain. For a comprehensive overview of these protocols, refer to a simple guide to DMARC, SPF, and DKIM.

Strict vs. relaxed SPF alignment

The key to your question lies in the aspf tag within your DMARC record. This tag dictates the SPF alignment mode. There are two options: strict (s) and relaxed (r). The default mode is relaxed if no aspf tag is specified.

Strict alignment (aspf=s)

Requirement: The Return-Path domain must exactly match the RFC5322.From header domain.
Subdomain impact: If your RFC5322.From header is example.com and your SPF record (Return-Path) is sub.example.com, SPF alignment will fail under strict mode because the domains do not precisely match.

Relaxed alignment (aspf=r or default)

Requirement: The organizational domain of the Return-Path must match the organizational domain of the RFC5322.From header. Subdomains are permitted.
Subdomain impact: If your RFC5322.From header is example.com and your SPF record (Return-Path) is sub.example.com, SPF alignment will pass under relaxed mode because example.com is the organizational domain for both.

Many email service providers (ESPs) use subdomains for their Return-Path addresses. This is common practice to manage bounces and feedback loops. If your DMARC policy is set to aspf=s and you're sending through an ESP that uses a subdomain for the Return-Path, SPF alignment will fail.

Subdomains and SPF alignment

To explicitly answer your question, if your RFC5322.From header is example.com and your SPF record (and thus the Return-Path) is associated with sub.example.com, then with aspf=s in your DMARC record, the SPF alignment check will fail. This is because example.com does not exactly match sub.example.com.

For aspf=s to pass, the domain in the From: header and the Return-Path domain must be identical. This means if your SPF record is on sub.example.com, your From: header would also need to be sub.example.com. This is why most organizations prefer aspf=r for SPF alignment to allow for flexibility with subdomains.

Example of SPF failure with aspf=s

Consider an email with:

From header: sender@yourdomain.com
Return-Path: bounces@sub.yourdomain.com (where the SPF record resides)
DMARC policy: v=DMARC1; p=quarantine; aspf=s;

In this scenario, yourdomain.com does not exactly match sub.yourdomain.com, so SPF alignment will fail due to aspf=s. To learn more about how sp tags affect subdomain policies, check out our guide on DMARC sp tag effects.

It's important to remember that DMARC policies can also be set explicitly for subdomains. If you have sub.example.com and you publish a DMARC record directly on _dmarc.sub.example.com, this specific record will take precedence for emails sent from that subdomain, overriding any policy set by the main domain or its sp tag. You can read more about this in our article on how DMARC records on subdomains override root policies.

The role of DKIM in DMARC passing

While SPF alignment failing due to aspf=s and a subdomain SPF record might seem like a complete DMARC failure, it's not necessarily the end of the line. DMARC requires only one of SPF or DKIM to pass authentication and achieve alignment. This means DKIM can act as a fallback.

If your email is DKIM signed and the DKIM signing domain (the d= tag) aligns with your RFC5322.From domain (either strictly or relaxed, depending on your adkim tag in DMARC), then DMARC will still pass, even if SPF alignment failed. This is a critical point for email deliverability. For more detail, you can consult the AWS SES documentation on DMARC.

The importance of DKIM

While SPF is valuable, DKIM is often considered more robust because it authenticates the content of the email and is less prone to breaking due to forwarding or mailing list re-writing. It also provides an additional layer of trust for recipients, particularly with major inbox providers like

Google and

Yahoo. To understand why DMARC can pass even if SPF fails, review our related article.

To ensure robust email deliverability, it's always recommended to have both SPF and DKIM properly configured and aligned. This provides redundancy and strengthens your domain's reputation. If you're encountering DMARC failures, checking both SPF and DKIM alignment is the first step in troubleshooting.

Views from the trenches

Best practices

Always ensure both SPF and DKIM are properly set up for all domains and subdomains that send email.

Utilize DMARC’s relaxed alignment mode (aspf=r) for SPF, especially when using third-party sending services.

Monitor your DMARC reports closely to identify any authentication failures and take corrective action promptly.

Common pitfalls

Setting aspf=s without a clear understanding of its implications for subdomains and Return-Path domains.

Not having a DKIM record or failing DKIM alignment, which eliminates the fallback mechanism for DMARC.

Failing to publish DMARC records for subdomains when specific policies are needed, leading to unexpected behavior.

Expert tips

If you use an ESP, verify their instructions for SPF and DKIM setup to ensure alignment with your DMARC policy.

Gradually implement DMARC policies, starting with p=none, to monitor impacts before moving to quarantine or reject.

Consider using a dedicated subdomain for marketing emails to isolate their reputation from transactional emails.

Expert view

Expert from Email Geeks says that strict alignment means an exact match, so if the SPF record is on a subdomain and the From header is the main domain, SPF alignment will fail.

2024-02-02 - Email Geeks

Marketer view

Marketer from Email Geeks says that unless you go to the significant effort to have the same domain in your From: header and your return path, aspf=r is what you want, as there isn't really any downside to it.

2024-03-15 - Email Geeks

Final thoughts on DMARC and subdomains

In summary, if your DMARC record is configured with aspf=s (strict SPF alignment) and your SPF record is published on a subdomain while your From: header uses the main organizational domain, SPF alignment will fail. This is due to the strict requirement for an exact domain match. However, the overall DMARC validation can still pass if your DKIM record is correctly configured and achieves alignment. This highlights the complementary nature of SPF and DKIM in DMARC authentication.

For most senders, using aspf=r (relaxed SPF alignment) is generally recommended, as it offers greater flexibility with subdomains without compromising security. Continuously monitoring your DMARC reports is essential to catch and address any authentication failures, ensuring your emails consistently land in the inbox.