DMARC glossary
What do adkim and aspf mean? DMARC alignment explained

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
adkim and aspf set the alignment mode DMARC uses to compare the visible From: domain against the DKIM signing domain and the SPF-validated domain. Both take r (relaxed — organizational-domain match, the default) or s (strict — exact match). Misalignment, not failed SPF or DKIM, is the top reason DMARC fails.
adkim / aspf at a glance | |
|---|---|
| Tag | adkim (DKIM alignment) · aspf (SPF alignment) |
| Valid values | r (relaxed, default) · s (strict) |
| Default | Both default to r — relaxed, organizational-domain alignment. |
| Where it goes | Anywhere after p, e.g. v=DMARC1; p=reject; adkim=s; aspf=s; |
How adkim / aspf works
DMARC doesn't just ask whether SPF or DKIM passed — it asks whether the pass belongs to the domain in the From: header, the one the recipient actually sees. That check is alignment. For DKIM, the d= domain in the signature must match the From: domain (adkim). For SPF, the envelope-from domain that SPF validated must match the From: domain (aspf).
Relaxed mode (r, the default) accepts an organizational-domain match: mail.yourdomain.com aligns with yourdomain.com. Strict mode (s) demands an exact match: mail.yourdomain.com does not align with yourdomain.com. Relaxed is right for almost everyone — it lets subdomain-based senders align without weakening the core guarantee that the visible domain was authorised.
Alignment is where most 'DMARC is failing but SPF and DKIM pass' mysteries live. The classic case is an ESP that passes SPF on its own bounce domain (bounce.espmail.com) and signs DKIM with its own d=espmail.com — both authentic passes, neither aligned with your From: domain, so DMARC fails. The fix is configuring the ESP to use your domain for the bounce address and DKIM signature, not loosening anything.
Correct record vs common mistake
Correct
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.comNo adkim/aspf tags — relaxed alignment by default, which lets legitimate subdomain senders (mail.yourdomain.com) align cleanly.
Common mistake
v=DMARC1; p=reject; adkim=s; aspf=sStrict alignment with senders still signing from subdomains will fail your own legitimate mail. Only go strict when you've verified every sender matches the From: domain exactly.
Generate your DMARC record
Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
Troubleshooting adkim / aspf
| Issue | Likely cause | Fix |
|---|---|---|
| DMARC fails though SPF and DKIM show 'pass' | The passes belong to another domain — typically an ESP's bounce domain or d= domain | Configure a custom return-path and custom DKIM signing at the ESP so both align with your From: domain |
| Legitimate mail started failing after adding adkim=s / aspf=s | Strict mode rejects organizational-domain matches — subdomain senders no longer align | Revert to relaxed (remove the tags) unless every sender uses the exact From: domain |
| Forwarded mail fails SPF alignment | Forwarding changes the sending path, so SPF can't align — expected behavior | Rely on DKIM for forwarded mail: an aligned DKIM pass alone is enough for DMARC to pass |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Alignment failures are the silent mail-breaker of every enforcement push. Each client runs different ESPs, CRMs, and ticketing tools — each with its own bounce domain and signing domain. Move 50–200 tenants toward reject without fixing alignment per sender, and it's your helpdesk that learns which client's invoices stopped arriving.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
Aligning every legitimate sender is the slow, manual heart of DMARC work — and it's precisely what Palisade automates: it reads the aggregate reports, spots which sources pass SPF or DKIM without aligning, and walks you through fixing each one before the policy tightens.
Free 15-day trial · No credit card · Your own domain free forever (NFR)