DMARC aspf=r vs aspf=s: SPF alignment explained
aspf=r is relaxed SPF alignment (subdomains OK); aspf=s is strict (exact match). Both default to r. Here's the lookup table, pass/fail examples, and what the RFCs say.
Standards basis: Alignment definitions based on RFC 9989 (DMARCbis), which obsoletes RFC 7489 and RFC 9091. aspf and adkim are defined in RFC 9989 Section 4.7. RFC 7489 Section 6.3 is preserved only as a historical reference for readers migrating from the old spec.
Youâre looking at a DMARC record and see aspf=r or aspf=s. What does that mean?
Quick answer:
-
aspf=r(relaxed): the SPF-authenticated domain and the From domain must share the same organizational domain.mail.example.comaligns withexample.com. -
aspf=s(strict): the domains must match exactly.mail.example.comdoes NOT align withexample.com. - If
aspfis absent, relaxed mode applies automatically. Itâs the default in both RFC 7489 and the current spec, RFC 9989.
Lookup table: does SPF alignment pass?
aspf value |
From address | SPF-authenticated domain | Aligned? |
|---|---|---|---|
aspf=r (relaxed) |
[email protected] |
bounce.example.com |
Pass (same org domain) |
aspf=r (relaxed) |
[email protected] |
sendgrid.net |
Fail (different org domain) |
aspf=s (strict) |
[email protected] |
example.com |
Pass (exact match) |
aspf=s (strict) |
[email protected] |
mail.example.com |
Fail (not an exact match) |
The SPF-authenticated domain is the Return-Path (envelope sender), not the From header your recipients see.
What aspf does
DMARC connects SPF and DKIM authentication results to the From address recipients see. That connection is called alignment.
aspf controls SPF alignment specifically. SPF validates the Return-Path domain (the envelope sender, used for bounce handling), which is invisible to recipients. The From header is what appears in the inbox. These two addresses can be entirely different domains.
When you send through a third-party service, the Return-Path usually uses the providerâs domain. SPF may pass for that provider domain, but if it doesnât share an organizational domain with your From address, SPF alignment fails.
This is why DKIM alignment usually matters more in practice. We explain the full picture in our guide on DMARC, SPF, and DKIM alignment.
Relaxed vs strict: when each makes sense
Relaxed alignment (default)
Use relaxed alignment when:
- You send from subdomains like
mail.example.comormarketing.example.com - Your SPF record covers the root domain but emails originate from subdomains
- You use third-party services that set the Return-Path to a subdomain of your domain
- Youâre not sure (itâs the safe default)
With relaxed alignment, the organizational domains must match. Both newsletter.example.com and support.example.com align with example.com.
Strict alignment
Use strict alignment when you have direct control over your entire sending infrastructure, every email comes from the exact same domain with no subdomains, and youâve verified through several weeks of DMARC reports that nothing would break.
Strict alignment means mail.example.com does not align with example.com. The domains must be identical. This is rarely necessary and frequently causes delivery problems when subdomains or third-party senders are involved.
ESP examples: why relaxed alignment still fails for third-party senders
Relaxed alignment is permissive for subdomains, but it doesnât help when the Return-Path belongs to a completely different organizational domain.
Amazon SES, by default, sets the Return-Path to a subdomain of amazonses.com. SPF passes for that domain, but amazonses.com shares no organizational relationship with yourcompany.com, so SPF alignment fails whether you use aspf=r or aspf=s. Amazonâs own documentation confirms this: to get SPF alignment with SES, you need to configure a custom MAIL FROM domain that is a subdomain of your own domain, and then use relaxed alignment.
SendGrid works the same way without domain authentication. SPF passes for sendgrid.net, but alignment fails against yourcompany.com under any alignment mode.
In both cases, adjusting aspf wonât help. Configure DKIM with your provider so they sign with your domain. That gives you a DKIM alignment path that works regardless of what the Return-Path says.
What does adkim=r aspf=r mean?
adkim=r aspf=r is the default DMARC relaxed alignment configuration. Per RFC 9989 Section 4.7, the r value selects relaxed matching for both DKIM (adkim) and SPF (aspf):
-
adkim=r: the DKIM signing domain aligns if its organizational domain matches the From headerâs organizational domain.d=mail.example.comaligns with a From of[email protected]. -
aspf=r: the SPF-authenticated Return-Path domain aligns if its organizational domain matches the From headerâs organizational domain. A Return-Path of[email protected]aligns with[email protected].
Both tags default to r when omitted, so these records are equivalent:
v=DMARC1; p=reject; rua=mailto:[email protected]
v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:[email protected]
adkim=r aspf=r vs adkim=s aspf=s
The strict counterpart (adkim=s aspf=s) requires exact domain matching. mail.example.com would NOT align with example.com. Use strict only when every legitimate sender uses the exact organizational domain, and youâve confirmed that in your reports over several weeks.
Is adkim=r aspf=r safe?
Yes. Relaxed alignment is the published default in RFC 9989. An attacker cannot exploit it without first controlling a subdomain of your organizational domain, which means your DNS is already compromised.
RFC 7489 and RFC 9989: where these tags are defined
If youâre searching for RFC 7489 references, hereâs the mapping.
RFC 7489 (now obsolete) defined aspf and adkim in Section 6.3. Both defaulted to r. The exact wording: aspf: (plain-text; OPTIONAL; default is "r").
RFC 9989 (DMARCbis) obsoletes RFC 7489 and RFC 9091. It defines aspf and adkim in Section 4.7 with the same defaults. One thing changed: the organizational domain determination method. RFC 7489 relied on a Public Suffix List; RFC 9989 uses a DNS tree walk (described in Section 4.10) to discover the organizational domain without depending on an external list.
For the full tag reference, see our DMARC record tags guide. For a deeper look at how alignment works across both SPF and DKIM, see our DMARC alignment guide.
The aspf and adkim relationship
DMARC has two alignment tags:
-
aspffor SPF alignment -
adkimfor DKIM alignment
They work independently. You can mix relaxed SPF alignment with strict DKIM alignment, or any other combination.
For DMARC to pass, either SPF or DKIM needs to pass with alignment, not both. Most organizations focus on DKIM alignment because it survives email forwarding, and you control the signing domain directly.
How to check your current setting
Run your domain through our DMARC checker. The results show your current aspf value, or note that youâre using the default (relaxed).
You can also check manually with dig:
dig TXT _dmarc.yourdomain.com +short
Look for aspf=r (relaxed), aspf=s (strict), or no aspf tag (defaults to relaxed).
How to change it
Your DMARC record is a DNS TXT record at _dmarc.yourdomain.com. To change the alignment mode, edit the record and add or modify the aspf tag.
Relaxed alignment (explicit):
v=DMARC1; p=reject; aspf=r; rua=mailto:[email protected]
Strict alignment:
v=DMARC1; p=reject; aspf=s; rua=mailto:[email protected]
Use our DMARC generator to build a properly formatted record with your preferred settings.
Common mistakes with aspf
Setting strict mode without testing
Someone reads that strict is âmore secureâ and enables aspf=s. Marketing emails start failing because the Return-Path uses a subdomain that doesnât exactly match the From header.
Before switching to strict mode, monitor your DMARC reports for at least 2-4 weeks. Look at the SPF alignment column. If any legitimate mail would fail under strict alignment, donât switch.
Thinking aspf is required
If you donât include aspf in your DMARC record, relaxed mode applies automatically.
v=DMARC1; p=reject; rua=mailto:[email protected]
This record uses relaxed SPF alignment by default. Adding aspf=r is redundant.
Confusing SPF passing with SPF alignment
SPF can pass while SPF alignment fails.
Imagine an email where:
- Return-Path:
[email protected] - From:
[email protected] - SPF record for
sendgrid.netauthorizes the sending IP
SPF passes because the IP is authorized for sendgrid.net. SPF alignment fails because sendgrid.net doesnât share an organizational domain with yourcompany.com.
Thatâs why DKIM alignment matters more in practice. Configure custom DKIM with your third-party sender and they sign with your domain. At that point the SPF alignment result is irrelevant.
Practical recommendations
For most setups:
- Leave aspf at relaxed, or omit it entirely
- Focus on DKIM alignment for third-party senders
- Monitor reports before making any changes
If youâre considering strict mode, enable DMARC monitoring first and review at least four weeks of aggregate reports. If any legitimate sender would fail strict alignment, thatâs your answer: donât switch. And keep a rollback plan ready either way.
Check your SPF alignment
Use our DMARC checker to see your current aspf setting and whether your emails are passing SPF alignment.
If youâre seeing SPF alignment failures, adjusting aspf usually wonât fix them. Configure DKIM with your third-party senders so alignment passes through the signing domain, which stays stable even when the Return-Path changes.
For ongoing visibility, sign up for DMARCTrust and add your domain. Youâll see exactly which senders pass or fail SPF alignment, broken down by sending source, so you know where the problem actually is before touching anything.
