Strict
This article relates to the use of DMARC record flags aspf and adkim.
Strict is non-default tightening of the alignment requirements for authentication. It can be applied independently on SPF and DKIM via use of "aspf=s" and "adkim=s" respectively. Domain owners/managers should only use these settings if they completely understand the implication and expected results. i.e. This should be considered an expert-level setting, and you should not use these flags if you need more input than is contained in this article.
For a more complete discussion on alignment in general, please read this article: https://dmarcian.com/alignment/
The default setting for a DMARC record is to be in 'relaxed' mode, not 'strict' (value 'r' vs 's'). Being in relaxed mode means that the comparison of the domain in the From header does not have to *exactly* match the domain in the authentication identifier domain in question; the combination of From header domain vs auth domain does still have to use the same parent domain.
The default setting is applied if the aspf or adkim tag do not appear in the DMARC record, or if they appear with the default value, 'r'. Specifying the relaxed tag in the record is not necessary. I.E. you can remove 'aspf=r' or 'adkim=r' with no consequences to message authentication (unless this value is in a subdomain's DMARC record where the relaxed setting is intended to override a strict value which would otherwise be inherited).
To use SPF for an example, if the rfc5322.from (this is the email address you see as From in your email client) header domain is dmarcian.com, and the rfc5321.mailfrom (aka mail-from or return-path) header domain is tomki.dmarcian.com, then relaxed alignment (the default setting) will allow DMARC alignment comparison to say that this is a 'pass' (if of course the basic SPF check passes).
In this example if dmarcian.com's DMARC record were to have an aspf=s notation, then the alignment test would fail.
In the case of DKIM the alignment test works exactly the same, but using the DKIM authentication identifier domain instead: the content specified by the d= tag in the DKIM-Signature header of the email message.