DMARC ASPF Tag
This particular tag indicates the SPF identifier alignment portion of your DMARC policy. Like the adkim designation, the aspf tag can be utilized in relaxed (r) or strict (s) modes. Successful alignment happens when the “Mail-From” address and the “From” address domains are identical. In addition, it automatically defaults to the aspf=r setting.
Highlighted below is an aspf tag used in a DMARC record:
v=DMARC1; p=quarantine; pct=25 ; rua=mailto:dmarcreports@mxtoolbox.com; aspf=strict; |
Relaxed SPF Alignment
In relaxed SPF Alignment, the MailFROM domain and the Header From domain must be an exact match or a parent/child match (i.e. example.com and child.example.com). The parent/child match type allows any subdomain and parent domain pair to generate a PASS result. Also worth noting, in the parent/child match scenario either the MailFROM domain or the Header From domain can be the parent or the child domain. When the relaxed setting is specified in a DMARC record it will look like the below example:
Relaxed SPF Alignment tag in a DMARC record (aspf=r) |
v=DMARC1; p=quarantine; pct=25 ; rua=mailto:dmarcreports@mxtoolbox.com; ruf=mailto:dmarcfailurereports@mxtoolbox.com; aspf=r; |
Pass / Fail Scenarios in Relaxed Alignment
MailFrom Domain is |
Header From Domain is |
Result is |
mail.example.com |
example.com |
PASS |
example.mail.com |
example.com |
FAIL |
Strict SPF Alignment
In strict (s) alignment, a DMARC record will expressed with the aspf=s tag published as illustrated below:
Strict SPF Alignment tag in DMARC record (aspf=s) |
v=DMARC1; p=quarantine; pct=25 ; rua=mailto:dmarcreports@mxtoolbox.com; ruf=mailto:dmarcfailurereports@mxtoolbox.com; aspf=s; |
Pass / Fail Scenarios in Strict SPF Alignment
Now, with aspf=s tag published, the MailFROM domain and the Header From domain must exactly match. Below are two examples, one displaying an exact match generating a PASS result and another displaying parent/child domains that generat a FAIL result.
MailFROM Domain is |
Header From Domain is |
Result is |
mail.example.com |
mail.example.com |
PASS |
mail.example.com |
example.com |
FAIL |