What is SPF Alignment?
An email message is made up of several different headers. Each header contains information about certain attributes of an email message, including the date sent, where it was sent, and to who it was sent to. SPF deals with two types of email headers:
- The <From:> header
- The Return-Path header
When the domain in the From header and the domain in the return-path header match for an email, SPF alignment passes for that email. However, when the two are not a match, it consequently fails. SPF alignment is an important criterion that decides whether an email message is legitimate or fake.
Shown above is an example where the From: header is in alignment (exactly matches) with the Return-path header (Mail From),hence SPF alignment would pass for this email.
Why Does SPF alignment fail?
Case 1: Your SPF alignment mode is set to strict
While the default SPF alignment mode is relaxed, setting a strict SPF alignment mode can lead to alignment failures if the return-path domain happens to be a subdomain of the root organizational domain, while the From header incorporates the organizational domain. This is because for SPF to align in a strict mode, the domains in the two headers must be an exact match. However, for relaxed alignment, if the two domains share the same top-level domain, SPF alignment will pass.
Shown above is an example of a mail that shares the same top-level domain but the domain name isn’t an exact match ( the Mail From domain is a subdomain of the organizational domain company.com). In this case, if your SPF alignment mode is set to “relaxed”, your email will pass SPF alignment, however for a strict mode, it will fail the same.
Case 2: Your domain has been spoofed
A very common reason for SPF alignment failures is domain spoofing. This is the phenomenon when a cybercriminal takes over your identity by forging your domain name or address to send emails to your receivers. While the From: domain still bears your identity, the Return-path header displays the original identity of the spoofer. If you have SPF authentication in place for your forged domain, the email inevitably fails alignment on the receiver’s side.
Case 3: Your Third-Party Email Vendors are Not Aligned
If you are using third-party email vendors whom you are not including in your SPF record, there is a chance of misalignment. This is the most common example of SPF alignment failure and happens most often.
This happens when you use external email vendors like Office 365 or MailChimp to send emails but don’t include their IPs in your SPF record. This makes email receivers perceive these emails as spam or impersonated.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DMARC Compliance? Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
Video - PowerDMARC Aggregate Reports Free2 m 13 s- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s