What does SPF alignment mean?
You may have heard this term (or some derivative of it) when dealing with DMARC. I’ll explain it simply.
In one sentence: An email is SPF aligned if the Return-Path address and the displayed “from” address come from the same domain.
Of course, this is DNS stuff so there’s always more to the story.
But first, let’s talk about what a “Return-Path” address and displayed “From” address are.
First, the Return-Path address
The Return-Path address is the email address that undeliverable messages (bounces) or delivery status notifications are sent to. It’s sent as part of the email.
But you don’t see the Return-Path address displayed in an email client usually. It’s sent within an email’s headers.
If you want, you can find it. For example, in Gmail, you can click the options link next to an email and then select “Show original” to get all the header info which will include the Return-Path:
Now if you don’t see a Return-Path value in the headers, then the Return-Path value will default to be the same as the displayed “From” address. A nice segue…
Next, the displayed “From” address
This is what you normally think of as the “from” address—the one that’s listed in your email client and on each email, like below:
Achieving SPF alignment
When you hear the term “SPF alignment” with regard to DMARC, it means that the domain of the Return-Path and the domain of the displayed “From” address are the same.
Let’s take a look at the example email above:
- Return-Path address domain: pm-bounces.donedone.com
- Displayed “From” address domain: donedone.com
They both have the same root domain (donedone.com) but the Return-Path is a subdomain of it (pm-bounces.donedone.com).
Are these aligned? Maybe. It depends on what you’ve set for your SPF alignment mode in your DMARC policy. (I’m sorry, I don’t make the rules).
By default, a DMARC’s SPF alignment mode is set to “relaxed”. This means that SPF is aligned if the Return-Path address and displayed “From” address simply have the same root domain regardless of any subdomains. In this case, in the the SPF alignment mode is “relaxed”, then yes, it’s aligned.
However, you can set the SPF alignment mode to “strict” which means the Return-Path address and displayed “From” address must have identical domains. In this case, in the the SPF alignment mode is “strict”, then nope, it’s not aligned.
To set SPF alignment mode to “strict”, just add aspf=s; to your DMARC record and it’s set to strict. For “relaxed”, add aspf=r; or nothing at all (as the default is relaxed).
Why does SPF alignment make an email more credible?
The Return-Path domain is the domain where the actual SPF DNS record lives that an email server will vet against. In this case, an email server will look up the SPF record found at pm-bounces.donedone.com.
If the email is SPF authenticated but the Return-Path domain is completely different from the “From” address (let’s say it’s tryingtohackyou.com), all that tells the email server is that tryingtohackyou.com’s SPF record authenticates the email.
But the email still looks like it came from someone at donedone.com (via the displayed “From” address) so some bad person from tryingtohackyou.com could be pretending to be someone from donedone.com.
But if the Return-Path and displayed “From” address have the same domain and SPF is authenticated, then at some point, some IT person who legitimately works at donedone.com set up the SPF record that achieved authentication for this email, so it’s much more likely that this is legitimate.
Unless, of course, someone at tryingtohackyou.com somehow got access to the DNS recordset for donedone.com in which case we have a different and really bad problem entirely!
I hope this helps you understand SPF alignment.
