Why does /audit return in ~3 seconds?

We read DNS and key email header fields only, use parallel resolvers with 2s timeouts, and return structured results with suggestions.

What is Proof‑of‑Scan?

We hash canonical JSON (sha256) and provide a Verify endpoint to recompute via multiple public DNS resolvers and compare hashes.

Do you store email bodies?

No. We never store bodies. We parse headers only, delete .eml right after parsing, and keep PDF/JSON for evidence.

Alignment: relaxed vs strict — how to choose

“Alignment” measures whether the visible From: domain aligns with technical authentication domains used by SPF and DKIM. When alignment holds, DMARC policy can be enforced confidently; when it doesn’t, the same message can pass SPF/DKIM but still fail DMARC. This guide explains how alignment is computed, the difference between relaxed and strict modes, and a practical path to adopt stricter alignment without breaking legitimate traffic.

Quick start: check your alignment now

Run a 3‑second audit and get badges for SPF/DKIM/DMARC/Alignment/One‑Click unsubscribe. Then verify from multiple public resolvers.

How alignment is calculated

Organizational domain: derived using the Public Suffix List (PSL). Fora.news.brand.co.uk the organizational domain is brand.co.uk.
SPF identity: the domain in SMTP MAIL FROM (a.k.a. Return‑Path, envelope from).
DKIM identity: the d= domain embedded in a passing DKIM signature.
Header From: the human‑visible From: address domain.

Alignment compares the organizational domain of Header From with each identity. Inrelaxed mode, two domains align if their organizational domains match (e.g. brand.com and mail.brand.com). In strict mode, they must be an exact match (e.g. brand.com with brand.com only).

Relaxed vs strict: which should I choose?

Mode	Pros	Trade‑offs	Good for
Relaxed (r)	Works across sub‑domains and multiple ESPs; fewer false negatives	Looser policy may hide drift; spoofed sibling sub‑domains are harder to catch	Complex stacks, migrations, transitional phases
Strict (s)	Tighter control; clearer ownership; better brand protection	Requires consistent routing and exact domain match across SPF/DKIM	Mature stacks with stable ESP routes and single From domain

A pragmatic path to strict alignment

Inventory sending paths: enumerate all From domains, ESPs, and DKIM selectors in use.
Stabilize DKIM: ensure every route signs with a domain you control (not vendor domain) and upgrade keys to 2048‑bit.
Align SPF envelope: prefer MAIL FROM on your domain (sub‑domain allowed). Avoid vendor envelope domains when possible.
Pilot strict on a sub‑brand: e.g. updates.brand.com. Measure bounce/complaint impact for 7–14 days.
Rollout with guardrails: configure DMARC adkim=s, aspf=s for the stable paths first. Keep monitoring alignment drift.

How to verify alignment (evidence you can share)

Paste raw headers (or upload .eml) to parse Authentication‑Results, extractsmtp.mailfrom, dkim d=, and header.from, and compute relaxed/strict alignment. From SenderGuard: download a PDF evidence pack containing scanId,sha256, and a public Verify link. Anyone can re‑compute using independent resolvers and compare hashes.

Common pitfalls

Signing with vendor domain in DKIM d= (breaks alignment even when signature passes)
Using different From domains across transactional vs marketing without updating DMARC
Sub‑domain split deliveries where SPF envelope points to vendor domain
PSL mistakes when deriving organizational domain for exotic TLDs

FAQ

Do I need both SPF and DKIM aligned? DMARC requires at least one aligned authentication (SPF or DKIM) to pass.
Is strict alignment overkill? No—if your routing is stable. Start strict on a subset, then expand once you have confidence.
What if an ESP requires its own envelope domain? Prefer DKIM alignment in that case; keep SPF relaxed while DKIM enforces strict.

Next steps: run the audit above, generate a PDF pack, and toggle adkim/aspf to strict on a pilot domain for two weeks. Roll back in one click if metrics drift.