The adkim=s tag in a DMARC record is all about setting the “alignment mode” for DKIM. To understand what that means, we first need a quick refresher on DMARC itself. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from being used in phishing and spoofing attacks. It works by checking if an email is properly authenticated with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
However, DMARC doesn't just check if SPF and DKIM pass. It goes a step further and checks for what's called “alignment”. This means the domain used in the SPF and DKIM authentication must match, or align with, the domain seen in the email's “From” header—the one the recipient sees. This is where the adkim tag comes into play; it specifically controls how strictly the DKIM domain must align with the “From” domain.
Strict vs. relaxed DKIM alignment
The adkim tag has two possible settings: relaxed (r) and strict (s). If you don't specify the tag in your DMARC record, it defaults to relaxed.
Relaxed alignment (adkim=r): In relaxed mode, DKIM alignment passes if the domain in the DKIM signature (the d= tag) is the same as, or a subdomain of, the “From” address domain. For example, if an email is sent from marketing@example.com and the DKIM signature is for the domain send.example.com, it will pass relaxed alignment. This flexibility is useful for businesses that use third-party services to send emails on their behalf.
Strict alignment (adkim=s): This is where adkim=s comes in. With strict mode, the domain in the DKIM signature (d= tag) must exactly match the domain in the “From” header. Using the same example, if the email is from marketing@example.com, the DKIM signature must be for example.com. A signature from send.example.com would fail strict alignment.
Why choose strict alignment?
The main purpose of setting adkim=s is to enforce a tighter security policy. It significantly reduces the risk of sophisticated spoofing attacks where an attacker might compromise or use a subdomain to send unauthorized emails. However, this higher security comes with a trade-off.
- Benefit: Strict alignment offers stronger protection against domain impersonation. It ensures that only mail explicitly signed by your core organizational domain is considered aligned.
- Drawback: Many legitimate third-party sending services (like email marketing platforms or helpdesks) sign emails using their own infrastructure, which often involves a subdomain of your domain. Implementing adkim=s without careful configuration can cause these legitimate emails to fail DMARC checks, leading to deliverability problems.
Before switching to strict mode, it is essential to analyze your DMARC aggregate reports. These reports show which services are sending email on your behalf and what domains they are using for DKIM signing. You should only move to adkim=s once you have confirmed that all your legitimate mail streams can meet the exact match requirement.
An example of a DMARC record with strict alignment
A DMARC record is a simple line of text in your DNS. Here is what a basic record with strict DKIM and SPF alignment would look like:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s;
In this example, p=reject tells receivers to block emails that fail DMARC, and adkim=s sets the strict alignment policy for DKIM. The aspf=s tag does the same for SPF.
In conclusion, the purpose of the adkim=s tag is to enforce the highest level of DKIM authentication security within DMARC. While the default relaxed mode is sufficient for many, strict alignment provides an extra layer of protection for organizations that need it—as long as it's implemented with a clear understanding of all email sending sources.
