--- title: "Are Your SPF and DKIM Identifiers Aligned? | AutoSPF" description: "As you know, DMARC is based on SPF and DKIM, and the alignment of both these protocols is crucial for its processing." image: "https://autospf.com/og/blog/are-your-spf-and-dkim-identifiers-aligned.png" canonical: "https://autospf.com/blog/are-your-spf-and-dkim-identifiers-aligned/" --- Quick Answer As you know, DMARC is based on SPF and DKIM, and the alignment of both these protocols is crucial for its processing. Identifier alignment builds a connection between the authentication flow of SPF and DKIM while also dictating the DMARC policy subjected to illegitimate emails sent from your domain. ## Try Our Free DKIM Lookup Auto-discover DKIM selectors for any domain. [ Discover DKIM Selectors → ](/tools/dkim-lookup/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fare-your-spf-and-dkim-identifiers-aligned%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Are%20Your%20SPF%20and%20DKIM%20Identifiers%20Aligned%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fare-your-spf-and-dkim-identifiers-aligned%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fare-your-spf-and-dkim-identifiers-aligned%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fare-your-spf-and-dkim-identifiers-aligned%2F&title=Are%20Your%20SPF%20and%20DKIM%20Identifiers%20Aligned%3F "Share on Reddit") [ ](mailto:?subject=Are%20Your%20SPF%20and%20DKIM%20Identifiers%20Aligned%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fare-your-spf-and-dkim-identifiers-aligned%2F "Share via Email") ![authenticated email](https://media.mailhop.org/autospf/images/2024/07/spf-validator-8821.jpg) As you know, DMARC is based on SPF and DKIM, and the alignment of both these protocols is crucial for its processing. Identifier alignment builds a connection between the authentication flow of SPF and [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/) while also dictating the DMARC policy subjected to [illegitimate emails](https://www.scmagazine.com/news/new-phishing-tactic-hijacks-email-protections-to-mask-links) sent from your domain. _DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists._ Learn more in our [comprehensive DKIM guide](/blog/what-is-dkim-email-authentication-guide/). _The two DMARC alignments, strict and relaxed, determine how stringently your chosen [DMARC policy](https://customer.io/blog/dmarc-policy/) is imposed._ Let’s understand this concept in detail. ## Shortcoming of SPF \`SPF has two ‘From’ addresses, one is the [envelope ‘From’ address](https://www.mybluelinux.com/what-is-email-envelope-and-email-header/), and the second is the header ‘From’ address. _By default, [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/) authenticates only the envelope ‘From’ address, which means [threat actors](https://thehackernews.com/2024/06/void-arachne-uses-deepfakes-and-ai-to.html) can still send emails from your domain using one of the authorized servers with a spoofed header ‘From’ address._ ## Shortcoming of DKIM _By default, DKIM only authenticates the d= value, which can differ from the domain value in the header ‘From’ address_. This means that it doesn’t matter if the ‘From’ field the recipients see differs from what’s been authenticated by DKIM. ![Spf record generator 2](https://media.mailhop.org/autospf/images/2024/07/spf-record-generator-2.jpg) ## What is DMARC alignment? DMARC alignment means that domains under all the sections of an outgoing email’s header should match. A successful DMARC alignment indicates that the message has passed SPF and/or DKIM authentication checks. This process prevents [phishing](https://gbhackers.com/phishing-tactics-impersonating/), spoofing, and [ransomware attacks](/blog/how-phishing-paves-the-way-for-ransomware-attacks/) emerging from emails. Let’s understand this better. [DMARC](/fraudmarc-alternatives/) is based on the authentication results of SPF and DKIM. DMARC uses central identity, which is the domain found in the ‘From’ header. This domain is seen as the originating domain and is supposed to have your organization’s domain name in it. _When the receiving server gets your email, SPF activates to check its [Return Path](https://bird.com/guides/return-path-explained), whereas DKIM starts validating the encrypted signature._ Please note that both these authentication checks are performed independently on two different domains. Once both the protocols are done with their processes, DMARC takes their results to verify if the domain used in either of them aligns with the ‘From’ domain (the central identity). If either matches, DMARC alignment is achieved. ## How Does DMARC alignment modes, strict Compare to relaxed? There are two DMARC alignment modes, strict and relaxed. _In strict alignment, there should be an exact match between the domain in the ‘From’ address and the one validated by SPF and/or DKIM._ In relaxed alignment, the organizational domains should be the same, even if there is a difference in the subdomains. This is a more preferred alignment mode as it offers a degree of leniency, minimizing the instances of [false positives](https://www.nospamproxy.de/en/what-is-a-false-positive-and-what-is-a-false-negative/). ### Strict DMARC alignment As mentioned above, it’s more rigid as it demands an exact match between the domains. It’s preferred by companies involving [sensitive data](https://www.csoonline.com/article/2091966/sensitive-us-government-data-exposed-after-space-eyes-data-breach.html) like financial and [medical information](https://www.jdsupra.com/legalnews/the-center-for-digestive-health-2858369/). _Many government domains are also subjected to this DMARC alignment only._ However, not many domain owners prefer it because of its inflexibility. It can raise false positives for genuine messages that don’t meet the criteria of exactly matching domains, jeopardizing email communication at multiple levels. ### Relaxed DMARC alignment This one is less strict than its counterpart, allowing messages to pass DMARC checks despite not having an exact match between the domains. This is useful for companies dealing with multiple subdomains or those with a heavy flow of customer support and [marketing-based email exchanges](https://encharge.io/what-is-email-marketing/). _While this alignment mode reduces the likelihood of false positives, it might let illegitimate emails slip off due to its lenient nature._ ![authenticated email](https://media.mailhop.org/autospf/images/2024/07/spf-flattening-6553.jpg) ## Choosing the right DMARC alignment for your domains Deciding which DMARC alignment mode is best suited for your domain can be warring. You need to consider the [complexity of your email infrastructure](https://eitca.org/cybersecurity/eitc-is-acss-advanced-computer-systems-security/messaging/messaging-security/examination-review-messaging-security/how-does-the-complexity-of-email-systems-and-the-involvement-of-multiple-trusted-entities-complicate-the-assurance-of-security-in-email-communications/) and tolerance for false positives. And it goes without saying that if you deal with the storage and exchange of sensitive data, strict alignment mode is your savior. Here is how you can begin- ### Set your alignment mode in the DMARC record Mention the DMARC policy and alignment mode you prefer- - For SPF alignment, use the “aspf” tag: - aspf=s for strict alignment. - aspf=r for relaxed alignment. - For DKIM alignment, use the “adkim” tag: - adkim=s for strict alignment. - adkim=r for relaxed alignment. ### How Do You Implement and test your alignment choice? After updating your [DMARC record](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/), monitor the impact. _Start with a less restrictive policy (p=none or p=quarantine) to observe email processing without affecting deliverability_. Review DMARC reports to check email alignment and identify issues like legitimate emails failing DMARC due to alignment problems. If legitimate emails are rejected under strict alignment, switch to relaxed alignment. If [phishing attempts](https://www.helpnetsecurity.com/2024/07/11/using-authy-beware-of-impending-phishing-attempts/) pass under relaxed alignment, tighten to strict alignment. ### Keep monitoring and making adequate adjustments Continuously monitor DMARC reports to ensure your alignment mode is effective. Adjust as your email practices evolve, or [new threats emerge](https://www.simplilearn.com/top-cybersecurity-trends-article). Use DMARC reports to gain insights into how your domain is being used to send emails and detect [spoofing attempts](https://thehackernews.com/2024/05/nsa-fbi-alert-on-n-korean-hackers.html). You may make necessary changes to your [SPF record](/explaining-sender-policy-framework-spf-macros/spf-record-syntax/). If your SPF record exceeds the [lookup limit](/spf-too-many-dns-lookups/) during the process, [reach out to us](/contact-us/) to quickly resolve the issue with our [SPF Flattening](/) service. ## Topics [ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 6m Automated Solutions for Preventing Email Spoofing May 7, 2026 ](/blog/automated-solutions-for-preventing-email-spoofing/)[ Intermediate 7m AutoSPF Explains: The Definitive Guide to Adding an SPF Record to Cloudflare Jan 7, 2026 ](/blog/autospf-definitive-guide-adding-spf-record-cloudflare/)[ Intermediate 9m Avoiding the common SPF and DKIM mistakes in 2026 Feb 19, 2026 ](/blog/avoiding-the-common-spf-and-dkim-mistakes-in-2026/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Are Your SPF and DKIM Identifiers Aligned?","description":"As you know, DMARC is based on SPF and DKIM, and the alignment of both these protocols is crucial for its processing.","url":"https://autospf.com/blog/are-your-spf-and-dkim-identifiers-aligned/","datePublished":"2024-07-18T15:17:50.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2024-07-18T15:17:50.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/are-your-spf-and-dkim-identifiers-aligned/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, email security, SPF, SPF record","wordCount":901,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2024/07/spf-validator-8821.jpg","caption":"authenticated email","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Are Your SPF and DKIM Identifiers Aligned?","item":"https://autospf.com/blog/are-your-spf-and-dkim-identifiers-aligned/"}]} ```