DMARC ASPF Tag

This particular tag indicates the SPF identifier alignment portion of your DMARC policy. Like the adkim designation, the aspf tag can be utilized in relaxed (r) or strict (s) modes. Successful alignment happens when the “Mail-From” address and the “From” address domains are identical. In addition, it automatically defaults to the aspf=r setting.

Highlighted below is an aspf tag used in a DMARC record:

Relaxed SPF Alignment

In relaxed SPF Alignment, the MailFROM domain and the Header From domain must be an exact match or a parent/child match (i.e. example.com and child.example.com). The parent/child match type allows any subdomain and parent domain pair to generate a PASS result. Also worth noting, in the parent/child match scenario either the MailFROM domain or the Header From domain can be the parent or the child domain. When the relaxed setting is specified in a DMARC record it will look like the below example:

Pass / Fail Scenarios in Relaxed Alignment

Strict SPF Alignment

In strict (s) alignment, a DMARC record will expressed with the aspf=s tag published as illustrated below:

Pass / Fail Scenarios in Strict SPF Alignment

Now, with aspf=s tag published, the MailFROM domain and the Header From domain must exactly match. Below are two examples, one displaying an exact match generating a PASS result and another displaying parent/child domains that generat a FAIL result.