Contents
_dmarc.gmail.com. 491 IN TXT "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"
https://mxtoolbox.com/dmarc/details/dmarc-tags/aspf
https://support.google.com/a/answer/10032169#alignment
From: header domain
1. DMARC alignment options
DMARC passes or fails a message based on
- how closely the message From: header matches the sending domain specified by either SPF or DKIM.
This is called alignment.
You can choose from two alignment modes: strict and relaxed.
Set the alignment mode for SPF and DKIM in the DMARC record.
- The aspf and adkim DMARC record tags set the alignment mode.
In the following cases, we recommend you consider changing to strict alignment for increased protection against spoofing:
- Mail is sent for your domain from a subdomain outside your control You have subdomains that are managed by another entity
To pass DMARC, a message must pass at least one of these checks:
SPF authentication and SPF alignment
DKIM authentication and DKIM alignmentA message fails the DMARC check if the message fails both:
SPF (or SPF alignment)
DKIM (or DKIM alignment)Important: Relaxed alignment typically provides sufficient spoofing protection.
Strict alignment can result in messages from associated subdomains to be rejected or sent to spam.
Authentication method |
Strict alignment |
Relaxed alignment |
SPF |
An exact match between the SPF authenticated domain, and the domain in the header From: address. |
The domain in the header From: address must match or be a subdomain of the SPF authenticated domain. |
DKIM |
An exact match between the relevant DKIM domain, and the domain in the header From: address. |
The domain in the header From: address must match or be a subdomain of the domain specified in the DKIM signature d= tag. |
2. Understand envelope sender and From: addresses
Email messages have two types of addresses that indicate the sender.
- It’s important to understand the difference between these addresses when setting up SPF, DKIM, and DMARC.
The envelope sender address and the From: address for a message can be different or the same.
2.1. Envelope sender address
The email address that indicates where the message came from. Undeliverable message notices, or bounces, are sent to this address. The Envelope-Sender address is also referred to as the Return-Path address or the bounce address. Message recipients don’t see the envelope sender address.
SPF typically uses the message envelope sender address for authentication.
2.2. From: address
The email address in the message header. Messages have two parts: the message header and the message body. The header has information about the message, including: sender name and email address, message subject, and the sending date. The From: header includes the email address, and usually the name of the person who sent the message.
DKIM uses the message From: address for authentication.