DMARC identifier alignment ensures that the domains authenticated by SPF and/or DKIM are aligned with the domain visible to recipients in the Header From field.
Email users rely on the From address shown in their email client to determine who sent a message. However, SPF and DKIM authenticate different domains by default, not the Header From domain. This can result in a situation where the authenticated domain does not match what the user sees. DMARC solves this problem through identifier alignment.
The Header From domain is the domain shown in the visible From address of an email. This is what recipients see in their inbox.
The Mail From domain (also known as the Return-Path, Envelope From, or bounce address) is used for message delivery and bounce handling. It is not visible to end users. SPF authentication is performed against the Mail From domain, not the Header From domain.
Because these domains can be different, an email may pass SPF or DKIM authentication but still fail DMARC if the authenticated domain is not aligned with the Header From domain.
DMARC checks alignment as follows:
SPF alignment compares the Mail From domain with the Header From domain
DKIM alignment compares the DKIM signing domain (d=) with the Header From domain
If either SPF or DKIM passes and the authenticated domain is aligned with the Header From domain, DMARC passes.
DMARC supports two alignment modes:
Strict alignment
The authenticated domain must exactly match the Header From domain.
Relaxed alignment
Subdomains of the same organizational domain are considered aligned.