DMARC glossary

What do adkim and aspf mean? DMARC alignment explained

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

adkim and aspf set the alignment mode DMARC uses to compare the visible From: domain against the DKIM signing domain and the SPF-validated domain. Both take r (relaxed — organizational-domain match, the default) or s (strict — exact match). Misalignment, not failed SPF or DKIM, is the top reason DMARC fails.

adkim / aspf at a glance
Tagadkim (DKIM alignment) · aspf (SPF alignment)
Valid valuesr (relaxed, default) · s (strict)
DefaultBoth default to r — relaxed, organizational-domain alignment.
Where it goesAnywhere after p, e.g. v=DMARC1; p=reject; adkim=s; aspf=s;

How adkim / aspf works

DMARC doesn't just ask whether SPF or DKIM passed — it asks whether the pass belongs to the domain in the From: header, the one the recipient actually sees. That check is alignment. For DKIM, the d= domain in the signature must match the From: domain (adkim). For SPF, the envelope-from domain that SPF validated must match the From: domain (aspf).

Relaxed mode (r, the default) accepts an organizational-domain match: mail.yourdomain.com aligns with yourdomain.com. Strict mode (s) demands an exact match: mail.yourdomain.com does not align with yourdomain.com. Relaxed is right for almost everyone — it lets subdomain-based senders align without weakening the core guarantee that the visible domain was authorised.

Alignment is where most 'DMARC is failing but SPF and DKIM pass' mysteries live. The classic case is an ESP that passes SPF on its own bounce domain (bounce.espmail.com) and signs DKIM with its own d=espmail.com — both authentic passes, neither aligned with your From: domain, so DMARC fails. The fix is configuring the ESP to use your domain for the bounce address and DKIM signature, not loosening anything.

Correct record vs common mistake

Correct

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

No adkim/aspf tags — relaxed alignment by default, which lets legitimate subdomain senders (mail.yourdomain.com) align cleanly.

Common mistake

v=DMARC1; p=reject; adkim=s; aspf=s

Strict alignment with senders still signing from subdomains will fail your own legitimate mail. Only go strict when you've verified every sender matches the From: domain exactly.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting adkim / aspf

IssueLikely causeFix
DMARC fails though SPF and DKIM show 'pass'The passes belong to another domain — typically an ESP's bounce domain or d= domainConfigure a custom return-path and custom DKIM signing at the ESP so both align with your From: domain
Legitimate mail started failing after adding adkim=s / aspf=sStrict mode rejects organizational-domain matches — subdomain senders no longer alignRevert to relaxed (remove the tags) unless every sender uses the exact From: domain
Forwarded mail fails SPF alignmentForwarding changes the sending path, so SPF can't align — expected behaviorRely on DKIM for forwarded mail: an aligned DKIM pass alone is enough for DMARC to pass

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Alignment failures are the silent mail-breaker of every enforcement push. Each client runs different ESPs, CRMs, and ticketing tools — each with its own bounce domain and signing domain. Move 50–200 tenants toward reject without fixing alignment per sender, and it's your helpdesk that learns which client's invoices stopped arriving.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Aligning every legitimate sender is the slow, manual heart of DMARC work — and it's precisely what Palisade automates: it reads the aggregate reports, spots which sources pass SPF or DKIM without aligning, and walks you through fixing each one before the policy tightens.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Because neither pass is aligned. An ESP often passes SPF on its own bounce domain and signs DKIM with its own d= domain — authentic, but not your From: domain, so DMARC fails anyway.

Relaxed, almost always. It still requires an organizational-domain match, which stops third-party spoofing. Strict adds value only in narrow cases — like isolating a subdomain's mail stream — and breaks easily.

Same concept, different mechanism: adkim sets how the DKIM d= domain must match the From: domain; aspf sets how the SPF-validated envelope-from domain must match it. DMARC passes if either one produces an aligned pass.

Use the ESP's custom-domain features: set a custom return-path (bounce) domain on your domain for SPF alignment, and custom DKIM signing with d=yourdomain.com. Most major ESPs support both.

Related terms

What is DMARC? Email authentication explained