Yes. With relaxed DMARC alignment, subdomain1.domain.com and subdomain3.domain.com are aligned for SPF because they share the same organizational domain, domain.com. The return-path domain does not need to sit beneath the exact visible From subdomain. It only needs the same organizational domain when the DMARC SPF alignment mode is relaxed.
The part that trips people up is that SPF itself does not know about DMARC alignment. SPF checks the IP against the SPF record for the envelope sender domain, usually the 5321.MailFrom domain. DMARC then checks whether that authenticated SPF domain lines up with the visible 5322.From domain. For ongoing DMARC monitoring, I watch both pieces separately: did SPF pass, and did the SPF-authenticated domain line up with the From domain under DMARC rules?
The short answer
Relaxed SPF alignment in DMARC compares organizational domains, not the full hostname tree. If two domains share the same organizational domain, DMARC treats them as aligned for relaxed SPF alignment. That means a visible From domain at subdomain1.domain.com can pass DMARC through SPF when the return-path domain is subdomain3.domain.com, provided SPF passes for subdomain3.domain.com.
- Same organization: Sibling subdomains under the same registered domain pass relaxed DMARC SPF alignment.
- SPF first: The sending IP still needs to pass SPF for the return-path or HELO domain checked by the receiver.
- No inheritance: SPF does not walk up to the parent domain or across to another subdomain to find a record.
- DMARC decides: The relaxed comparison belongs to DMARC, after SPF has already authenticated a domain.
Practical rule
If the visible From domain and the SPF-authenticated domain have the same organizational domain, relaxed SPF alignment passes. If they have different organizational domains, it fails unless DKIM gives DMARC another passing, aligned result.
How relaxed SPF alignment is calculated
DMARC works with two domain identities for this specific check. The first is the visible From domain, taken from the 5322.From header. The second is the domain that SPF authenticated, normally the return-path domain. Relaxed mode reduces both domains to their organizational domain and compares those results.
Flowchart showing SPF pass first, then DMARC relaxed organizational domain comparison.
For subdomain1.domain.com and subdomain3.domain.com, the organizational domain is domain.com for both. That is enough for relaxed alignment. The same logic also covers deeper names, such as a.b.domain.com, because the organizational domain still reduces to domain.com.
|
|
|
|
|---|---|---|---|
subdomain1.domain.com | subdomain3.domain.com | Passes | Both reduce to domain.com |
subdomain1.domain.com | subdomain2.subdomain1.domain.com | Passes | Both reduce to domain.com |
subdomain1.domain.com | mail.other.com | Fails | The organizational domains differ |
news.example.co.uk | bounce.example.co.uk | Passes | Both reduce to example.co.uk |
Relaxed SPF alignment examples for one visible From domain.
The public suffix boundary matters. In a domain like example.co.uk, the organizational domain is not co.uk. It is example.co.uk. This is why a proper DMARC parser matters when you troubleshoot alignment across country-code domains and delegated subdomains.
Why SPF pass is different
I separate SPF authentication from DMARC SPF alignment because they answer different questions. SPF asks whether the sending IP is authorized by the SPF record for the envelope domain. DMARC asks whether the domain authenticated by SPF matches the visible From domain closely enough for the chosen DMARC alignment mode.
SPF authentication
- Question: Is this IP allowed to send for the envelope sender domain?
- Domain used: The return-path domain, or HELO when the return path is empty.
- Record lookup: The receiver checks the SPF record published at that exact domain.
DMARC SPF alignment
- Question: Does the SPF-authenticated domain match the visible From domain?
- Domain used: The authenticated SPF domain and the header From domain are compared.
- Mode choice: Relaxed mode compares organizational domains, while strict mode compares exact domains.
This difference explains the common surprise: subdomain3.domain.com can be aligned with subdomain1.domain.com under DMARC, but SPF will still fail if subdomain3.domain.com has no SPF record authorizing the sending IP. SPF does not check domain.com as a fallback, and it does not inspect subdomain1.domain.com just because that is the visible From domain.
Do not rely on SPF inheritance
Publish SPF at the actual return-path domain used by the sender, or configure the sender to use a return-path domain that already has the right SPF record. Parent-domain SPF does not automatically cover child subdomains.
Examples that pass or fail
The DMARC record controls SPF alignment mode through the aspf tag. If the tag is missing, DMARC uses relaxed SPF alignment by default. I still prefer to set it deliberately when the policy needs to be obvious to future administrators.
Relaxed SPF alignment in a DMARC recorddns
_dmarc.domain.com. TXT "v=DMARC1; p=quarantine; aspf=r; adkim=r;" "rua=mailto:dmarc-reports@domain.com"
With that record, a message using From: user@subdomain1.domain.com and Return-Path: bounce@subdomain3.domain.com can pass DMARC through SPF if the sending IP passes SPF for subdomain3.domain.com. The sibling relationship is not the key. The shared organizational domain is the key.
Strict SPF alignment in a DMARC recorddns
_dmarc.domain.com. TXT "v=DMARC1; p=quarantine; aspf=s; adkim=r;" "rua=mailto:dmarc-reports@domain.com"
With strict SPF alignment, the same message fails DMARC through SPF because the return-path domain and visible From domain are not identical. Strict mode requires subdomain1.domain.com to match subdomain1.domain.com exactly for SPF alignment. A different sibling subdomain fails strict SPF alignment even when SPF authentication itself passes.
SPF alignment modes
How much domain matching DMARC requires after SPF passes.
Relaxed
aspf=r
Organizational domains match
Strict
aspf=s
Full domains match exactly
If you want a deeper split between SPF authentication and alignment, the related explanation on SPF authentication and alignment is useful when a report says SPF passed but DMARC still failed.
How to test it
When I troubleshoot this, I start with the actual message headers, not assumptions about the sending platform. The visible From domain, the return-path domain, the SPF result, and the DMARC result are enough to explain most relaxed alignment outcomes.
- Find From: Read the visible header From domain, not the display name shown in the inbox.
- Find return path: Read the envelope sender domain that SPF evaluated.
- Check SPF: Confirm the sending IP passed SPF for that return-path domain.
- Compare domains: Reduce both domains to organizational domains when DMARC uses relaxed SPF alignment.
- Check DKIM: Remember that aligned DKIM can pass DMARC even when SPF alignment fails.
A focused DMARC checker helps validate the published record, but header inspection still matters because SPF alignment depends on the domain used in a real message.
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
For production domains, I also check whether marketing, billing, support, and application mail each use predictable return-path domains. Random or vendor-controlled bounce domains create reports that look inconsistent until each source is mapped to its actual envelope sender.
DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records
Where Suped fits
Suped is strongest when the question moves from one example message to a domain-wide operating problem. A single header explains one delivery. Aggregate DMARC reports show which sources are using which return-path domains, which ones pass SPF, which ones pass DKIM, and which ones are failing alignment.
In Suped's product, the source breakdown and issue views separate legitimate sender configuration problems from mail that should be rejected. The practical workflow is simple: identify the source, confirm its return-path domain, fix SPF or DKIM on that source, then move the DMARC policy forward once the noise is under control.
What Suped helps you see
- Source mapping: Which platforms send mail for each domain and subdomain.
- Issue detection: Whether SPF, DKIM, DMARC, DNS, or policy staging needs attention.
- Hosted controls: Hosted SPF, SPF flattening, hosted DMARC, and hosted MTA-STS without constant DNS edits.
- Reputation checks: Blocklist (blacklist) monitoring alongside authentication and deliverability signals.
For most teams, Suped is the best overall practical choice because it combines DMARC, SPF, DKIM, hosted policy management, real-time alerts, and multi-tenant reporting in one place. If DNS ownership is fragmented across teams, hosted DMARC is especially useful because policy staging becomes a managed workflow instead of a long chain of manual TXT record changes.
Views from the trenches
Best practices
Compare organizational domains after SPF passes, not before checking the SPF result.
Document each sender's return-path domain so reports map cleanly to real systems.
Use relaxed SPF alignment unless strict matching has a clear operational purpose.
Common pitfalls
Assuming SPF records inherit from parent domains creates false confidence in subdomains.
Treating sibling subdomains as misaligned hides valid relaxed DMARC pass results.
Ignoring DKIM alignment makes SPF issues look worse than the actual DMARC outcome.
Expert tips
Test real headers because dashboards often hide the envelope sender domain detail.
Set aspf deliberately so future DNS reviewers understand the intended matching rule.
Use aggregate reports to spot senders that rotate return-path domains unexpectedly.
Marketer from Email Geeks says sibling subdomains under the same organizational domain count as aligned in relaxed DMARC SPF alignment.
2023-07-26 - Email Geeks
Marketer from Email Geeks says any hostnames below the same organizational domain can satisfy relaxed alignment when SPF has passed.
2023-07-26 - Email Geeks
The practical rule
The direct answer is simple: subdomain3.domain.com is relaxedly aligned with subdomain1.domain.com because both share domain.com as the organizational domain. DMARC does not require the return-path domain to be a child of the visible From domain in relaxed mode.
The caveat is just as important: the SPF result must pass for the actual return-path domain. Relaxed DMARC alignment does not repair a missing SPF record, a bad include, a DNS lookup failure, or a sending IP that is not authorized. Treat SPF authentication and DMARC alignment as two checks in sequence, then the answer becomes clear in almost every report.
