What is the DMARC 'adkim' tag used for?

When you're setting up DMARC, you'll encounter several different tags that configure how your policy works. DMARC builds on two older email authentication standards, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to help prevent email spoofing. A key part of DMARC is the concept of 'alignment', which ensures that the domains used for authentication are logically connected to the domain the recipient sees in the 'From' address. The adkim tag is a specific instruction within your DMARC record that controls this alignment for DKIM.

At its core, the adkim tag specifies the alignment mode for DKIM. As Mailmodo explains, it defines how strictly the DKIM check aligns with the domain in the 'From' header. This is a crucial setting that determines how receiving mail servers should interpret the results of a DKIM check in the context of your DMARC policy. There are two possible settings for this tag: relaxed or strict.

Progist Knowlegde Base | ProDMARC | ProPHISH - says:

Visit website

It stands for “Alignment DKIM”(DomainKeys Identified Mail). This mechanism was introduced in DMARC to validate the Email authentication based on...

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

Before diving into the specific settings, it's important to understand what DKIM alignment actually is. When an email is sent with DKIM, a cryptographic signature is added to the email's headers. This signature includes a domain identifier, specified in the d= tag within the DKIM-Signature header.

DMARC alignment checks whether the domain in that d= tag matches the domain found in the visible 'From' header of the email. This check prevents a scenario where an email might pass a technical DKIM check for one domain (e.g., thirdparty.com) while pretending to be from your domain (e.g., yourcompany.com) in the 'From' address. The adkim tag lets you define how close that match needs to be.

Your DMARC record can specify one of two alignment modes for DKIM. If you don't specify one, the default is relaxed. According to an article from NsLookup.io, "DMARC allows strict or relaxed alignment policy for each tag."

• Relaxed Alignment (adkim=r): This is the default setting. In relaxed mode, DKIM alignment passes if the domain in the DKIM signature (d= tag) is the same as, or a subdomain of, the domain in the 'From' header. For example, if an email is from marketing@news.suped.com, a DKIM signature for suped.com would achieve alignment. This provides flexibility for organizations that use different subdomains for various email streams.
• Strict Alignment (adkim=s): As the name implies, this is a more stringent requirement. For alignment to pass in strict mode, the domain in the DKIM signature must exactly match the domain in the 'From' header. Using the previous example, an email from marketing@news.suped.com would only pass strict alignment if the DKIM signature was also for news.suped.com. A signature for the root domain, suped.com, would fail.

SIDN - The company behind .nl says:

Visit website

If the 'adkim' tag value is 's' (strict), the 'From' domain must exactly match the signing domain in the 'd' tag of the DKIM header.

The choice between relaxed and strict alignment depends on your organization's email infrastructure and security posture. While strict mode offers the highest level of security by preventing any subdomain misuse, it can also be less forgiving. Many legitimate third-party email service providers send on behalf of your domain using a subdomain, which would fail strict alignment if not configured perfectly.

Relaxed mode is more common and practical for most organizations, providing a good balance of security and operational flexibility. As Postale.io notes, the adkim tag is optional and not always used, which means many domains rely on the relaxed default. For most senders, starting with relaxed alignment is the best approach. You can always move to strict alignment later if your sending practices allow for it and you desire a more stringent policy.

Adding the adkim tag to your DMARC record is straightforward. It's just another key-value pair within your DMARC TXT record in your DNS.

Here is an example of a DMARC record using strict DKIM alignment:

v=DMARC1; p=quarantine; adkim=s; rua=mailto:dmarc-reports@suped.com

And here is one using relaxed alignment (though adding adkim=r is redundant since it's the default):

v=DMARC1; p=quarantine; adkim=r; rua=mailto:dmarc-reports@suped.com

In summary, the adkim tag is a powerful, if sometimes overlooked, component of DMARC. It gives you precise control over how DKIM-signed messages are validated, helping you to secure your domain against spoofing while accommodating complex email sending environments.