DMARC alignment: the field everyone misconfigures
You publish SPF. You publish DKIM. You publish DMARC. The MX record is correct. Mail flows.
dmarcian shows green. You feel safe.
A week later, customers receive a phishing email "from" your domain. The headers pass SPF. The headers pass DKIM. DMARC says "yes". Yet the message is not from you.
The reason is alignment. SPF and DKIM both verify "an authorised sender for some domain"
— but DMARC only protects you if that domain matches the one in the
From: header. Most setups skip the matching.
The three identifiers
An email passing through your inbox actually identifies itself three different ways:
| Identifier | Set by | Visible to user? |
|---|---|---|
SMTP MAIL FROM (envelope) | The sender's MTA | No |
From: header | The composing application | Yes (this is what people see) |
DKIM signing domain (d=) | Whoever signs the message | No (header only) |
SPF authenticates the envelope (MAIL FROM). DKIM authenticates the signing
domain (d=). The user only sees the From: header.
If those three are different domains, an attacker can pass SPF/DKIM with their own server,
while displaying any From: they want. The visible identity is
completely separate from what the auth checked.
Where DMARC steps in
DMARC's job is to tie the From: header to one of the auth-passing identifiers.
It does this through alignment — checking that the domain in
From: matches either the SPF envelope domain (SPF alignment) or the DKIM
d= domain (DKIM alignment).
The DMARC record has two flags that govern this:
aspf=s(strict) —From:domain must equal SPF envelope domain.aspf=r(relaxed, default) —From:must share the organisational domain with SPF envelope (foo.example.commatchesexample.com).adkim=s(strict) —From:domain must equal DKIMd=domain.adkim=r(relaxed, default) — same organisational-domain rule.
The misconfiguration we see most
The DMARC record people copy from internet templates is:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
No adkim, no aspf — defaults to relaxed for both. That works for
most internal infrastructure where everything is on example.com proper.
But what if you outsource transactional email to a vendor like SendGrid, Mailgun, Postmark?
They'll happily sign with their own DKIM domain (sendgrid.net) and use their
own envelope. Without explicit DKIM signing on YOUR domain (with a CNAME like
s1._domainkey.example.com), DMARC on your apex never aligns. Phishing campaigns
that send from a server they control, signing with their own DKIM key, show your
From: ceo@example.com... and pass DMARC because some other auth record on the
path lined up.
From: domain.
Strict vs relaxed: the practical guide
Default r/r (relaxed both) catches most internal use — billing.example.com
is treated as the same org as example.com, even though they're different DNS labels.
This is fine for typical setups.
Strict mode (s/s) is what you want when you don't trust subdomains. If
support.example.com is a hosted Zendesk instance with its own DNS, you may not
want it speaking on behalf of example.com. Strict mode forces an exact label match.
A safe path for most teams:
- Start with relaxed (
r/r),p=none, and an RUA mailbox. - Watch the aggregate reports for a month. Identify which legitimate senders are passing alignment and which aren't.
- Fix the failing senders (CNAME their DKIM keys to your domain, configure custom MAIL FROM).
- Bump to
p=quarantine; pct=10. Watch reports another month. - Ramp
pctto 100, thenp=reject. Optionally tighten toadkim=s; aspf=s.
How UnveilScan checks alignment
The dmarc_alignment checker (Extended profile) parses your DMARC record and reports:
p=nonein production (LOW informational — DMARC is monitor-only).pct<100— only a fraction of failing mail is acted on (MEDIUM).adkim=r; aspf=rwithp=reject— recommend tightening tos/sif your sender topology allows (LOW).- Missing
rua— you're flying blind without aggregate reports (MEDIUM). - Cross-checks SPF for > 10 DNS lookups (RFC 7208 §4.6.4 hard limit; permerror once exceeded — HIGH).
Fix list comes with copy-paste DNS records for OVH, Cloudflare, Route53 and the BIND zone format. Re-scan after publishing the fix to see the score climb.
Why this matters now
Google and Yahoo started enforcing DMARC for bulk senders in February 2024. Microsoft 365 followed in 2025. A weak DMARC config no longer means "you might get phished some day" — it means "your transactional emails go to spam this quarter, and your phishing exposure is unchanged".
The cost of fixing alignment is minutes. The cost of not fixing it is reputational damage that takes months to recover from.
Audit your DMARC alignment in 60 seconds
Extended scan parses SPF + DKIM + DMARC + alignment policy and shows what's failing.
See pricing