Will DMARC pass with aspf=s if SPF record is on a subdomain?
Summary
What email marketers say8Marketer opinions
Email marketer from StackOverflow answers that SPF records do not cover subdomains by default. Each subdomain needs its own SPF record. Therefore, relying on a subdomain's SPF record for DMARC alignment with a parent domain in the `From` header would fail with `aspf=s`.
Marketer from Email Geeks answers no to the original question.
Email marketer from Postmark shares that SPF alignment is how DMARC uses SPF, and Strict mode means that the domain in the RFC5322.From header (visible to email recipients) must exactly match the domain used to authenticate the email with SPF.
Email marketer from EasyDMARC explains that for strict SPF alignment (aspf=s) to work, the SPF-authenticated domain must precisely match the domain found in the From header of the email. Therefore, if the SPF record exists only for a subdomain and the From header uses the main domain, the DMARC check will not pass.
Marketer from Email Geeks explains that DMARC only requires SPF or DKIM to pass, so if the DKIM passes then the DMARC will pass.
Marketer from Email Geeks explains that aspf=s means Strict Alignment, i.e., an exact match.
Email marketer from Mailhardener confirms that for SPF to align in strict mode, you must ensure that the domain in the 'header from' matches the domain used for SPF verification. In this situation if SPF is being authenticated by a subdomain, it will fail.
Email marketer from Reddit shares that if the SPF record is only set up on the subdomain, and the DMARC policy requires strict alignment (`aspf=s`), the DMARC check will fail because the domains do not match exactly.
What the experts say2Expert opinions
Expert from Word to the Wise explains that if SPF fails (which it will with a subdomain and `aspf=s`), DMARC will check for DKIM. If DKIM also fails, the DMARC policy will be applied, potentially leading to deliverability issues.
Expert from Email Geeks explains that unless you go to the (significant) effort to have the same domain in your From: header and your return path `aspf=r` is what you want, and that there’s not really any downside to it.
What the documentation says3Technical articles
Documentation from Valimail.com clarifies that with strict SPF alignment (`aspf=s`), the SPF authenticated domain must exactly match the domain in the `From` header. Therefore, SPF passing on a subdomain will not satisfy DMARC if the `From` header uses the parent domain.
Documentation from AuthSMTP explains that with `aspf=s` any subdomain will fail, and that `aspf=r` is generally used instead.
Documentation from dmarcian.com explains that `aspf=s` (strict) requires the SPF check to pass and the domain used in the `MAIL FROM` (also known as the envelope sender or Return-Path) to exactly match the domain in the `From` header. If the SPF record is on a subdomain and the `From` header uses the parent domain, it will fail.