To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain).
Don’t really have a question, but maybe it should be clarified that the header.from and the sender domain doesn’t need to be exactly the same (unless aspf=s), one can be a subdomain of the other.
Oh, also - you did bring up the difference between from domain and sender domain in the webinar, but I think it would be a good idea to bring it up again. And again and again and again and really hammer it home. I daily deal with customers (their IT departments) who have set p=reject and wonder why DMARC fails even though they include our servers in their SPF post. …for their header.from domain. It can take many mails back and forth until they understand the difference between the rfc5321 sender and the rfc5322 from, and which one SPF applies to.
Thank you for this Jesper. All excellent points.
I didn’t want to get into aspf tag until weeks 3-4. DMARC is where SPF alignment is the focus, not so much with just SPF verification alone. DMARC helps with allowing the alignment to be relaxed and use of subdomains with SPF and DKIM.