When you're setting up DMARC, it's easy to focus on just getting SPF and DKIM to pass. But there's a crucial next step that is often overlooked: alignment. DMARC doesn't just check if an email passes SPF or DKIM; it checks if the domains used for those authentication checks align with the domain in the 'From' address—the one your recipients actually see. Without this alignment, an email can pass DKIM but still fail DMARC, leaving your domain vulnerable to spoofing.
DKIM, or DomainKeys Identified Mail, provides a cryptographic signature that verifies two things: that the email hasn't been altered in transit, and that the signature is associated with the signing domain. However, DMARC takes this a step further by asking, "Is the domain that signed the message the same one shown to the user?" This is the essence of DKIM alignment.
What exactly is DKIM alignment?
DKIM alignment compares the domain found in the DKIM signature's d= tag with the domain in the email's visible 'From' header. For an email to be 'DKIM aligned', these two domains must match. This connection is vital because it ensures the cryptographic proof of authenticity provided by DKIM is directly tied to the sender identity that the recipient sees. As DuoCircle notes, this adds an additional layer of trust, confirming the email is from who it claims to be from.
Your DMARC record specifies how strict this check should be using the adkim tag. There are two settings:
- Relaxed alignment (adkim=r): This is the default and most commonly used setting. It allows the DKIM signing domain (in the d= tag) to be a subdomain of the 'From' address's domain. For example, an email from news@example.com signed by mail.example.com would pass.
- Strict alignment (adkim=s): This requires an exact match between the two domains. In the example above, strict alignment would fail. The email would need to be signed by example.com to pass.
For most organizations, relaxed alignment is the best choice. As AWS recommends, it provides the necessary security without causing unnecessary failures, especially when using third-party sending services that often sign from a subdomain.
Why DMARC relies on alignment
The core rule of DMARC is that an email must pass either SPF authentication and alignment OR DKIM authentication and alignment. This 'or' is very important. It means that even if SPF fails or is unaligned, which is a common issue with forwarded emails or third-party senders, your email can still pass DMARC and be delivered securely if it achieves DKIM alignment.
Think of it as a safety net. Getting SPF alignment right with every service you use can be challenging because it relies on the Return-Path header, which is often controlled by the sending service. DKIM alignment, on the other hand, is generally easier to configure. Most reputable email service providers (ESPs) allow you to set up a custom DKIM signature using your own domain, which solves the alignment problem.
Without alignment, DMARC would be much less effective. A spammer could send an email with a forged 'From' address from your domain, but sign it with their own, perfectly valid DKIM key. The DKIM check would pass, but because the signing domain doesn't match your domain, receivers would have no way of knowing the message was fraudulent. Alignment closes this loophole by building a connection between the authentication and the visible sender identity.
Ultimately, DKIM alignment is not just a technicality; it’s a pillar of the DMARC standard. It ensures the integrity of the 'From' address, giving receiving mail servers the confidence they need to enforce your DMARC policy and block malicious emails sent on your behalf. Getting it right is a non-negotiable step toward securing your email channel.
What is the DMARC 'adkim' tag used for?
What DMARC alignment mode is stricter: 'relaxed' or 'strict'?
What is the purpose of the 'rf' DMARC tag?
Does DMARC 'relaxed' alignment match a subdomain to the organizational domain?
Does DMARC require both SPF and DKIM to pass?
What is the significance of a missing DMARC record?
