What is SPF Alignment?
SPF Alignment is the alignment of two (2) headers found in an email message, meaning the value found in those two headers(a domain) needs to align with one another. This alignment basically means that the value found in each header, which is a domain, must match with the domain found in the other header. A SPF Alignment PASS result is given if there is an exact match to the domain (i.e. example.com = example.com) or if there is a parent / child match (example.com & blue.example.com). These two headers are evaluated during SPF validation testing, at which point the server that received the email will compare two headers in the email which are:
- The <From:> domain
- The RFC5321.MailFrom / Return Path domain
To better understand how SPF alignment, let’s examine its makeup. Two types of alignment tests exist. One is based on SPF, and one is based on DKIM. The Alignment test for SPF is performed in order to verify the authenticity of the domain sending the email by using two header signatures in the message where the sender's domain is present. This is done as part of the DMARC standard, as the <From:> domain can be easily spoofed by fraudsters and used to trick people into opening malicious emails and clicking malicious links.
NOTE: If you’ve specified your DMARC record to contain a tag of “aspf=s” the domains must be an exact (domain/domain) match for SPF alignment to pass (i.e., RFC5321.MailFrom / Return-Path and RFC5322.From domains must be exactly identical). The "s" in the aspf tag stands for strict, which tells the inbox's mail server to be more restrictive in what generates a pass result.
The first example will pass alignment if “aspf=s” is present. The second example will NOT pass alignment if “aspf=s” is present.
Example 1: SPF in alignment
MAIL FROM: <sender@example.com>
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample
In Example 1, SPF passes alignment. Why? The RFC5321.MailFrom parameter and the RFC5322.From field (both highlighted above) have identical DNS domains. Therefore, the domain matches (aligns) and will generate a pass result.
Example 2: SPF in alignment (parent)
MAIL FROM: <sender@child.example.com> *This is the RFC5321.MailFrom domain.
From: sender@example.com *This is the RFC5322.From domain.
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample
In Example 2, the RFC5322.From address (second highlight) includes the Organizational domain of example.com and the RFC5321.MailFrom / Return-Path (first highlight) includes a subdomain of example.com (child.example.com). In default relaxed SPF mode, this message passes SPF alignment because the domains match due to the loose parent / child matching criteria (alignment).
Example 3: SPF NOT in alignment
MAIL FROM: <sender@amazonses.com> *This is the RFC5321.MailFrom domain.
From: sender@example.com *This is the RFC5322.From domain.
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample
In Example 3, SPF does NOT pass alignment. Why? The RFC5321.MailFrom / Return-Path domain (first highlight) is amazonses.com and the RFC5322.From domain (second highlight) is example.com. Because the domains do NOT match, they fail SPF alignment.
For more SPF alignment information/examples, please see RFC7489 Appendix B.1.1.