What is the role of the 'dkim-alignment' in DMARC?
Michael Ko
Co-founder & CEO, Suped
Published 23 Dec 2024
Updated 16 Sep 2025
7 min read
When we talk about email authentication and deliverability, DMARC is a critical protocol that helps protect your domain from impersonation and ensures your legitimate emails reach their intended recipients. However, DMARC doesn't work in isolation, it relies on underlying authentication mechanisms, primarily SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
DKIM's role is to provide a way for senders to digitally sign their emails, allowing receiving servers to verify that the message hasn't been tampered with in transit and that it originates from an authorized sender. This digital signature is tied to a specific domain, the DKIM signing domain.
The magic really happens when DMARC steps in to connect the dots. It checks if the domain that DKIM authenticated, or the one authenticated by SPF, aligns with the domain in the From header of the email. This process, known as identifier alignment, is what gives DMARC its power, especially DKIM alignment, which is what we will focus on here.
The foundation of DKIM alignment
At its core, DKIM works by attaching a cryptographic signature to outgoing emails. This signature is generated using a private key and can be verified by a public key published in your domain's DNS records. The primary purpose is to ensure that the email content hasn't been altered since it was signed by the sender and to verify the sender's identity. You can learn more about this in Microsoft's guide to setting up DKIM.
Every DKIM signature includes a d= tag, which explicitly states the domain responsible for signing the email. This signing domain is crucial because it's the identifier DMARC will scrutinize for alignment. It's important to understand this distinction: DKIM verifies the signature from the d= domain, not necessarily the domain you see in your email client.
The domain that your recipients see in their email client is specified in the RFC 5322.From header, commonly called the header From domain. This is the domain DMARC cares most about for both SPF and DKIM alignment. DMARC's core function is to ensure that this visible sender domain is legitimately authorized by the underlying authentication protocols.
DKIM alignment, therefore, is the process where DMARC checks if the domain in the d= tag of the DKIM signature is related to the domain in the email's 5322.From header. This specific check is what makes DKIM a powerful component of your email authentication strategy.
Strict versus relaxed DKIM alignment
DMARC offers two modes for DKIM alignment, allowing senders some flexibility based on their email infrastructure: strict alignment and relaxed alignment. Your DMARC record specifies which of these modes should be used for your domain's emails.
In strict DKIM alignment (indicated by adkim=s in your DMARC record), the domain in the DKIM d= tag must be an exact match to the RFC 5322.From domain. No subdomains are permitted under this strict rule. For example, if your From header is sender@example.com, the DKIM signature must also be for example.com.
Conversely, relaxed DKIM alignment (specified with adkim=r) is more forgiving. It allows the DKIM signing domain to be a subdomain of the 5322.From domain. So, if your From header is sender@example.com, a DKIM signature from marketing.example.com would still pass alignment. This flexibility is often useful for organizations that send emails through various platforms or subdomains. For more on this, read about how relaxed alignment matches organizational domain.
Strict alignment (adkim=s)
Exact match: The DKIM d= domain must be identical to the 5322.From domain.
Stronger security: Provides the highest level of trust and anti-spoofing protection.
Less flexibility: May require more careful configuration, especially with third-party senders.
Relaxed alignment (adkim=r)
Organizational domain match: The DKIM d= domain can be a subdomain of the 5322.From domain.
More common for ESPs: Often used by email service providers that send on behalf of clients using subdomains.
Increased flexibility: Easier to implement with complex sending architectures.
Why DKIM alignment matters for DMARC
DMARC checks for alignment from either SPF or DKIM. If at least one of these passes alignment, the email is considered DMARC compliant. However, if neither SPF nor DKIM aligns, DMARC considers the email to be unauthenticated, and your domain's DMARC policy (p=none, p=quarantine, or p=reject) will be applied. This is foundational to understanding DMARC.
Failing DKIM alignment can have significant negative impacts on your email deliverability. When DMARC failures occur, receiving mail servers are more likely to reject your emails or place them in the recipient's spam or junk folder. This directly affects your sender reputation and the effectiveness of your email communications. Many senders experience DMARC verification failed errors due to these issues.
This is why DMARC monitoring is so important. By analyzing your DMARC reports, you can gain crucial visibility into whether your DKIM signatures are aligning correctly. Tools like Suped provide detailed insights, helping you pinpoint exactly where alignment failures are occurring and guiding you on how to rectify them to ensure better deliverability.
Key takeaways for DMARC pass
Authentication: DKIM alignment is a primary method DMARC uses to authenticate senders, verifying domain legitimacy.
Spoofing prevention: Ensures the visible sender domain matches the authenticated signing domain, protecting against phishing.
Deliverability: Proper DKIM alignment directly contributes to improved email deliverability and a stronger sender reputation.
To achieve successful DKIM alignment, the first step is to properly set up DKIM for your sending domain. This involves generating a pair of cryptographic keys (a private key for signing and a public key for verification) and publishing the public key in a TXT record in your domain's DNS. The DKIM record will typically include a DKIM selector to differentiate between multiple keys used for different sending sources.
Next, you need to ensure that your email service provider (ESP) or your own sending infrastructure is configured to sign emails with a DKIM d= domain that correctly aligns with your 5322.From domain, according to your chosen DMARC alignment mode (strict or relaxed). This often means configuring your sending platform to use your primary domain or an approved subdomain for DKIM signing.
Finally, continuous monitoring of your DMARC reports is essential. These reports provide invaluable feedback on your email streams, showing you exactly which emails are passing or failing DKIM alignment, and which DMARC policy is being applied. This data helps you identify and troubleshoot any configuration issues quickly. Suped offers comprehensive DMARC monitoring with AI-powered recommendations to simplify this process and help you achieve full DMARC enforcement.
The role of DKIM alignment in DMARC is fundamental to modern email security and deliverability. It acts as a critical link, ensuring that the domain visibly sending an email is cryptographically verified and authorized by your domain's DKIM records. Without proper alignment, even emails with valid DKIM signatures can fail DMARC checks, leading to deliverability issues.
Achieving and maintaining good DKIM alignment protects your brand reputation, prevents phishing and spoofing attacks, and most importantly, ensures your legitimate emails consistently reach your recipients' inboxes. It's an indispensable component of a robust email authentication strategy.
To effectively manage DKIM alignment and your overall DMARC implementation, a reliable DMARC monitoring solution is key. Suped offers an industry-leading platform with AI-powered recommendations, real-time alerts, and a unified view of your email health, making it easier than ever to achieve and maintain perfect alignment.
