DMARC aspf tag: what it does and when to change it

You’re looking at a DMARC record and see aspf=r or maybe aspf=s. What does that mean? Should you change it?

Short answer: aspf controls how strictly DMARC checks whether your SPF authentication matches your From address. The default is relaxed (r), and for most organizations, that’s the right choice.

But let’s actually understand what’s happening.

What aspf does

DMARC has a problem to solve. SPF and DKIM each authenticate different parts of an email. DMARC needs to connect those authentication results to the address your recipients actually see: the From header.

This connection is called alignment.

The aspf tag specifically controls SPF alignment. It has two settings:

Relaxed (aspf=r): The SPF-authenticated domain and the From domain must share the same organizational domain. So mail.example.com aligns with example.com.

Strict (aspf=s): The domains must match exactly. mail.example.com does not align with example.com.

If you don’t include aspf in your DMARC record, relaxed mode applies by default. This is defined in RFC 9989, the current DMARC specification.

Why this matters

SPF validates the Return-Path domain (also called the envelope sender or MAIL FROM). This is a technical address that recipients never see. It’s used for bounce handling.

The From header is what appears in your recipient’s inbox. It’s the address they reply to.

Here’s the problem: these two addresses can be completely different domains.

When you send through a third-party service like SendGrid, Mailchimp, or your helpdesk software, the Return-Path often uses the provider’s domain. They need this to process bounces on your behalf.

So SPF might pass for bounces.sendgrid.net, but your From address says yourcompany.com. Without alignment, DMARC would see this as a failure.

This is why alignment exists. And it’s why DKIM alignment usually matters more than SPF alignment in practice. We explain the full picture in our guide on DMARC, SPF, and DKIM alignment.

Relaxed vs strict: when each makes sense

Relaxed alignment (default)

Use relaxed alignment when:

• You send from subdomains like mail.example.com or marketing.example.com
• Your SPF record covers the root domain but emails come from subdomains
• You use third-party services that customize the Return-Path with subdomains
• You’re not sure (it’s the safe default)

With relaxed alignment, as long as the organizational domains match, SPF alignment passes. newsletter.example.com aligns with example.com. support.example.com aligns with example.com.

According to Amazon’s DMARC compliance documentation, relaxed alignment provides the flexibility most organizations need, especially when using third-party email services.

Strict alignment

Use strict alignment when:

• You have tight control over your email infrastructure
• All your email comes from a single domain with no subdomains
• You’re in a high-security environment that requires exact domain matching
• You’ve thoroughly tested that all legitimate email will pass

Strict alignment means mail.example.com does not align with example.com. The domains must be identical.

This is rarely necessary and often causes problems. If you send from subdomains or use any third-party services, strict SPF alignment will likely break things.

How to check your current setting

Run your domain through our DMARC checker. The results show your current aspf value, or note that you’re using the default (relaxed).

You can also check manually with dig:

dig TXT _dmarc.yourdomain.com +short

Look for aspf=r (relaxed), aspf=s (strict), or no aspf tag (defaults to relaxed).

How to change it

Your DMARC record is a DNS TXT record at _dmarc.yourdomain.com. To change the alignment mode, edit the record and add or modify the aspf tag.

Example with relaxed alignment (explicit):

v=DMARC1; p=reject; aspf=r; rua=mailto:[email protected]

Example with strict alignment:

v=DMARC1; p=reject; aspf=s; rua=mailto:[email protected]

Use our DMARC generator to build a properly formatted record with your preferred settings.

What does adkim=r aspf=r mean?

adkim=r aspf=r is the default DMARC relaxed alignment configuration. Per RFC 9989, the r value selects relaxed matching for both DKIM (adkim) and SPF (aspf) alignment:

• adkim=r — the DKIM signing domain aligns if its Organizational Domain matches the From header’s Organizational Domain. d=mail.example.com aligns with a From header of [email protected].
• aspf=r — the SPF-authenticated Return-Path domain aligns if its Organizational Domain matches the From header’s Organizational Domain. A Return-Path of [email protected] aligns with [email protected].

Both tags default to r when omitted, so these records are equivalent:

v=DMARC1; p=reject; rua=mailto:[email protected]
v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:[email protected]

adkim=r aspf=r vs adkim=s aspf=s

The strict counterpart (adkim=s aspf=s) requires an exact domain match — mail.example.com would NOT align with example.com. Use strict only when every legitimate sender uses the exact Organizational Domain and you’ve confirmed that in your reports for several weeks.

Is adkim=r aspf=r safe?

Yes. Relaxed alignment is the published default in RFC 9989 and is what Gmail, Yahoo, and Microsoft expect. Attackers can’t exploit relaxed alignment without first controlling a subdomain of the target Organizational Domain, which means they’ve already compromised the DNS.

The aspf and adkim relationship

DMARC has two alignment tags:

• aspf for SPF alignment
• adkim for DKIM alignment

They work independently. You can have relaxed SPF alignment with strict DKIM alignment, or any other combination.

For DMARC to pass, you need either SPF or DKIM to pass with alignment. Not both. This is why most organizations focus on DKIM alignment: it survives email forwarding, and you control the signing domain directly.

Our DMARC record tags guide covers all current DMARC tags in detail, including examples and validation rules.

Common mistakes with aspf

Setting strict mode without testing

Someone reads that strict is “more secure” and enables aspf=s. Then their marketing emails start failing because the Return-Path uses a subdomain that doesn’t exactly match the From header.

Before changing to strict mode, monitor your DMARC reports for at least 2-4 weeks. Look at the SPF alignment column. If you see legitimate email that would fail under strict alignment, don’t switch.

Thinking aspf is required

If you don’t include aspf in your DMARC record, relaxed mode applies automatically. You don’t need to specify it.

v=DMARC1; p=reject; rua=mailto:[email protected]

This record uses relaxed SPF alignment by default. Adding aspf=r would be redundant.

Confusing SPF passing with SPF alignment

SPF can pass while SPF alignment fails.

Imagine an email where:

• Return-Path: [email protected]
• From: [email protected]
• SPF record for sendgrid.net authorizes the sending IP

SPF passes because the IP is authorized for sendgrid.net. But SPF alignment fails because sendgrid.net doesn’t match yourcompany.com.

This is exactly why DKIM alignment matters more in practice. When you configure custom DKIM with your third-party sender, they sign with your domain, and alignment passes.

Practical recommendations

For most setups:

1. Leave aspf at relaxed (or don’t include it at all)
2. Focus on DKIM alignment for third-party senders
3. Monitor your reports before making changes

If you’re considering strict mode, enable DMARC monitoring first. Review at least 4 weeks of aggregate reports. Make sure all legitimate SPF results would pass strict alignment before switching. And have a rollback plan ready.

Check your SPF alignment

Use our DMARC checker to see your current aspf setting and whether your emails are passing SPF alignment.

If you’re seeing SPF alignment failures in your reports, the fix usually isn’t changing aspf to strict. It’s configuring DKIM with your third-party senders so you have a reliable alignment path.

For ongoing visibility, sign up for DMARCTrust and add your domain. You’ll see exactly which senders pass or fail SPF alignment and can make informed decisions about your configuration.