What is the difference between adkim=s and adkim=r?

The adkim tag in DMARC specifies DKIM alignment. adkim=s (strict) requires an exact match between the DKIM signing domain and the From header domain. adkim=r (relaxed) allows subdomains of the DKIM signing domain to also pass alignment.

Why would I use adkim=s?

You would use adkim=s for maximum security against domain spoofing and phishing. It provides a higher level of assurance that emails appearing to be from your domain are indeed sent and signed by your authorized systems, bolstering trust and brand integrity.

What happens if my emails fail DKIM strict alignment?

If an email fails DKIM strict alignment ( adkim=s ) and also fails SPF alignment, it will fail DMARC authentication. Depending on your DMARC policy ( p=none , p=quarantine , or p=reject ), the email could be delivered to spam, quarantined, or rejected outright, impacting your email deliverability.

How can Suped help me with adkim=s?

Suped's DMARC monitoring platform provides detailed reports that show you which emails are passing or failing DKIM alignment, including those affected by adkim=s . Our AI-powered recommendations guide you on how to resolve any issues, ensuring your legitimate emails are aligned and delivered. You can also get real-time alerts when problems arise.

What is the purpose of the 'adkim=s' tag in DMARC? - DMARC - Email authentication - Knowledge base

Stylized email envelope with a lock, representing DMARC security.

When delving into email authentication, understanding DMARC is crucial. This protocol relies on SPF and DKIM to verify email legitimacy, helping to prevent spoofing and phishing attacks. One specific tag within your DMARC record, adkim, plays a significant role in how DKIM authentication is evaluated, particularly when set to adkim=s.

The adkim tag, which dictates the DKIM alignment mode, is an optional but powerful setting within your DMARC record. Its primary purpose is to specify how strictly the domain used in the DKIM signature must match the From header domain of your outgoing emails. Without proper alignment, even emails with valid SPF or DKIM signatures might fail DMARC checks, impacting deliverability.

The purpose of the 'adkim' tag

The adkim tag has two possible values: r for relaxed mode, and s for strict mode. Understanding the difference between these is key to configuring your DMARC record effectively and ensuring your emails are delivered as intended. For a comprehensive overview of DMARC tags, you can consult a list of DMARC tags and their meanings.

Mode	Description	Example Alignment
Relaxed (adkim=r)	Allows subdomains of the DKIM signing domain to match the From header domain.	DKIM: example.com. From: mail.example.com
Strict (adkim=s)	Requires the DKIM signing domain to EXACTLY match the From header domain.	DKIM: example.com. From: example.com

The choice between adkim=r and adkim=s directly impacts how DMARC authenticates your email, affecting your email security posture and overall deliverability. This decision should be made carefully, considering your email infrastructure and sending practices.

Strict alignment with adkim=s

When you specify adkim=s in your DMARC record, you are enforcing strict DKIM alignment. This means that for an email to pass DMARC's DKIM check, the domain in the d= tag of the DKIM signature must be an exact match to the domain in the email's From header. Subdomains are not considered aligned in strict mode.

Magnifying glass examining email domains for exact matches.

For instance, if your From header is sender@yourdomain.com, the DKIM signature's d= tag must be yourdomain.com. If the d= tag specifies mail.yourdomain.com, it would fail strict alignment, even if yourdomain.com is the organizational domain. This level of precision is why it's considered strict.

DKIM alignment explained

The core concept of DKIM alignment is to ensure that the domain signing your email (the d= tag in your DKIM signature) is related to the domain shown in the From header of the email. This relationship is what DMARC checks to confirm authenticity. You can read more about what the DMARC 'adkim' tag is used for in our knowledge base.

Benefits and challenges of strict alignment

The primary benefit of using adkim=s is enhanced security. By requiring an exact domain match, it makes it much harder for attackers to spoof your domain, even if they manage to sign emails with a subdomain that belongs to you. This significantly reduces the risk of phishing attacks where attackers try to impersonate your brand.

However, strict alignment also presents challenges, especially for organizations using third-party email service providers (ESPs). Many ESPs sign emails using their own sending domains or subdomains, which can cause DMARC failures if adkim=s is enforced. For example, Amazon SES requires specific configurations to comply with DMARC. This is a common pitfall that can lead to legitimate emails being blocked or marked as spam.

Pros of adkim=s

Enhanced security: Significantly reduces the risk of direct domain spoofing and phishing attacks by requiring exact domain matches.
Clearer brand representation: Ensures that all authenticated emails consistently display your primary domain, bolstering trust.
Better reporting: DMARC reports become more precise, helping you identify unauthorized senders more easily.

Cons of adkim=s

Complexity with third parties: Can cause legitimate emails from ESPs to fail if they sign with subdomains or different domains.
Potential for deliverability issues: Misconfigurations or unaligned third-party senders can lead to emails landing in spam or being rejected.
Requires careful monitoring: You need robust DMARC monitoring to catch and fix alignment issues quickly.

Many email marketing and transactional email services, like Mailjet, provide options to customize your DKIM signing domain to achieve strict alignment. It’s essential to review your entire email ecosystem to ensure all legitimate senders can comply with adkim=s before deploying it at an enforcement policy (like p=quarantine or p=reject). This careful approach helps avoid unintended email delivery issues.

Setting up your DMARC record

To implement strict DKIM alignment, you simply add the adkim=s tag to your DMARC DNS record. Here's what a basic DMARC record with strict DKIM alignment might look like:

Example DMARC Record with adkim=s

v=DMARC1; p=none; adkim=s; ruf=mailto:reports@yourdomain.com; rua=mailto:aggregate@yourdomain.com;

Before transitioning your DMARC policy to p=quarantine or p=reject, it’s crucial to thoroughly monitor your DMARC reports. This will help you identify any legitimate email sources that are not yet configured for strict alignment. Suped offers a user-friendly DMARC monitoring solution that provides actionable insights, helping you safely transition your DMARC policy without disrupting your email flow.

Strengthening your email security

Implementing adkim=s is a strong step towards improving your email security and deliverability. It helps ensure that only authorized emails, strictly aligned with your brand's domain, reach recipients' inboxes. By using this tag, you're building a more robust defense against email fraud and enhancing recipient trust in your communications.

Staying informed about your email authentication status is vital. Tools that provide real-time alerts and AI-powered recommendations, like Suped, can significantly simplify DMARC management. They help you quickly identify and resolve any alignment issues that might arise, ensuring your email program remains secure and effective.