SPF Alignment

You've set up your SPF record, run a check, and everything passes. But then your DMARC reports show failures. How can SPF pass and DMARC still fail? The answer is alignment — a concept that trips up even experienced email administrators. Understanding alignment is essential for getting DMARC to work properly with SPF.

This guide explains what SPF alignment means, why it exists, and how to make sure your email setup passes both the SPF check and the alignment check. For a full overview of SPF, see our complete SPF guide.

What SPF Alignment Means

To understand alignment, you need to know that every email has two "from" addresses — and they're often different.

The "From" header is what your recipients see in their inbox. It's the address displayed in their email client, like you@yourdomain.com. This is sometimes called the "header From" or the RFC 5322 From.

The Return-Path (also called the envelope sender or MAIL FROM) is a hidden address used behind the scenes. It's where bounce notifications get sent, and it's the domain that SPF actually checks. You never see this in normal email viewing — it's only visible in the full email headers.

SPF alignment is whether these two domains match. When DMARC evaluates an email, it doesn't just ask "did SPF pass?" It also asks "did SPF pass on a domain that matches the From header?" If the SPF check passed on a completely different domain, DMARC considers SPF alignment to have failed.

The key concept

SPF alignment = the Return-Path domain matches (or is a subdomain of) the From header domain. SPF can pass on any domain. SPF alignment only passes when it's the right domain.

A Practical Example

Say you send an email where the visible From address is newsletter@yourdomain.com. But your email service provider uses bounce.emailprovider.com as the Return-Path (the envelope sender).

Here's what happens:

The receiving server checks SPF on the Return-Path domain: emailprovider.com
SPF passes because emailprovider.com has a valid SPF record authorizing the sending server
DMARC checks alignment: does emailprovider.com match yourdomain.com?
It doesn't. SPF alignment fails.

Even though SPF technically passed, it passed on the wrong domain. DMARC needs either SPF alignment or DKIM alignment to pass — if both fail, the DMARC result is a failure.

Strict vs. Relaxed Alignment

DMARC supports two alignment modes for SPF, controlled by the aspf tag in your DMARC record:

Relaxed alignment (aspf=r) — This is the default. The Return-Path domain just needs to share the same organizational domain as the From header. Subdomains are allowed.

Strict alignment (aspf=s) — The Return-Path domain must exactly match the From header domain. Subdomains do not count.

From Header	Return-Path	Relaxed (aspf=r)	Strict (aspf=s)
you@example.com	bounce@example.com	Aligned	Aligned
you@example.com	bounce@mail.example.com	Aligned	Not aligned
you@mail.example.com	bounce@example.com	Aligned	Not aligned
you@example.com	bounce@otherdomain.com	Not aligned	Not aligned
you@example.com	bounce@amazonses.com	Not aligned	Not aligned

Which should you use? Relaxed alignment (the default) works for the vast majority of setups. It allows subdomains to align, which is how many email services operate. Strict alignment is only necessary if you have specific security requirements that demand exact domain matching.

You can check your current DMARC alignment settings at DMARC Record Checker.

Why SPF Alignment Commonly Fails

There are several common situations where SPF passes but alignment fails:

Third-party email services using their own Return-Path. Many email providers set the Return-Path to their own domain by default. When they send on your behalf, SPF passes on their domain, but it doesn't align with your From domain. Some providers offer custom Return-Path or custom MAIL FROM options to fix this — for example, Amazon SES lets you set a custom MAIL FROM domain.

Email forwarding. When someone forwards your email, the forwarding server resends it with a new Return-Path (often the forwarder's domain). SPF passes for the forwarder's domain, but alignment with your original From domain breaks.

Mailing lists. Similar to forwarding, mailing list software often rewrites the Return-Path. The email still shows your From address, but SPF is evaluated against the mailing list's domain.

Transactional email services. Services like SendGrid, Postmark, or Mailgun may use their own domain for the Return-Path unless you configure a custom sending domain. If you use multiple providers, each one may need a custom Return-Path configuration. Check your provider's documentation for custom domain setup.

How to Fix SPF Alignment Issues

If your DMARC reports show SPF alignment failures, here are the steps to resolve them:

Identify the misaligned Return-Path domain

Look at your DMARC aggregate reports (the XML reports sent to the address in your DMARC record's rua tag). These reports show which Return-Path domains are being used and whether alignment passed or failed. The Email Deliverability Suite can help you parse and understand these reports.

Configure a custom Return-Path with your email provider

Most email services allow you to set a custom Return-Path or MAIL FROM domain. This is usually a subdomain of your main domain, like bounce.yourdomain.com or mail.yourdomain.com. Your provider will give you DNS records to add. Once configured, the Return-Path will use your domain, and SPF alignment will pass under relaxed mode.

Add SPF records for the custom subdomain

When you set up a custom Return-Path subdomain, you'll need an SPF record on that subdomain authorizing your provider's sending servers. Your provider's documentation will tell you exactly what to add.

Verify alignment is working

After making changes, send test emails and check the full headers. Look for the Authentication-Results header — it will show both the SPF result and whether DMARC passed. You can also wait for the next round of DMARC aggregate reports.

When SPF Alignment Isn't Possible

In some cases, you can't achieve SPF alignment — and that's okay. DMARC only needs one of its two alignment checks to pass: SPF alignment or DKIM alignment.

Email forwarding is the classic example. When email is forwarded, the Return-Path changes and SPF alignment breaks. But if the email was signed with DKIM, that signature survives forwarding (usually). So DKIM alignment can pass even when SPF alignment fails.

This is exactly why DMARC checks both protocols. They complement each other:

SPF alignment works well for direct email delivery
DKIM alignment works well for forwarded and relayed email

If SPF alignment is impossible for a particular mail flow, make sure DKIM is properly configured and aligned. Verify your DKIM setup with a DKIM checker.

Best practice: configure both SPF and DKIM alignment

Don't rely on just one. Set up custom Return-Path domains for SPF alignment where possible, and always configure DKIM signing. Having both gives you the best chance of DMARC passing regardless of how the email is delivered.

For a complete overview of how SPF, DKIM, and DMARC work together, see our guide on SPF, DKIM, and DMARC explained.

Monitor Your SPF Records

Alignment issues often surface only in DMARC reports, weeks after a change broke something. Continuous monitoring of your SPF, DKIM, and DMARC records catches configuration problems early, before they affect your email deliverability at scale.

References

RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
RFC 7489: DMARC — Defines SPF alignment requirements (strict and relaxed modes)
RFC 5321: Simple Mail Transfer Protocol (SMTP) — Defines the MAIL FROM / Return-Path used by SPF
RFC 6376: DomainKeys Identified Mail (DKIM) — DKIM alignment as an alternative when SPF alignment fails

Never miss an SPF issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

SPF Alignment Explained: Why SPF Can Pass But DMARC Still Fails