What is SPF Alignment?

An email message is made up of several headers. Each header carries information about the message, such as when it was sent, where it came from, and who it was sent to. For alignment purposes, SPF involves two identifiers:

• The From: header (the visible RFC5322.From domain)
• The Return-Path, also called the envelope sender or Mail From (the RFC5321.MailFrom domain)

When the domain in the From: header and the domain in the Return-Path align for an email, SPF alignment passes. When they do not, it fails. SPF alignment is an important factor in deciding whether a message is treated as legitimate under DMARC.

The example above shows a case where the From: domain aligns with the Return-Path (Mail From) domain, so SPF alignment passes.

Why does SPF alignment fail?

Case 1: Your SPF alignment mode is set to strict

The default SPF alignment mode is relaxed. Setting it to strict can cause alignment failures when the Return-Path domain is a subdomain of your organizational domain while the From: header uses the organizational domain itself (or vice versa). In strict mode, the two domains must match exactly. In relaxed mode, they only need to share the same organizational domain, so a subdomain still aligns.

The example above shows mail where the two domains share the same organizational domain but are not an exact match (the Mail From domain is a subdomain of company.com). In relaxed mode this passes SPF alignment; in strict mode it fails.

Case 2: Your domain has been spoofed

A common reason for SPF alignment failure is spoofing, where an attacker forges your domain in the From: address to deceive your recipients. The From: domain shows your identity, but the Return-Path reflects the attacker's own sending infrastructure. Because the attacker's envelope domain does not align with your From: domain, the message fails SPF alignment on the receiver's side, which is exactly the outcome DMARC enforcement relies on to stop the spoofed mail.

Case 3: Your third-party email vendors are not aligned

If you use third-party vendors that are not properly reflected in your SPF setup, misalignment can occur. This is one of the most common causes of SPF alignment failure. It happens when you use external services such as Microsoft 365 or Mailchimp to send mail but do not authorize them correctly, so receivers cannot tie that mail back to your domain. The fix is to ensure each authorized vendor is included in your SPF record (and, where possible, that DKIM is aligned too, since DKIM is more resilient to forwarding).