Do SPF and DKIM records need to be aligned for all email service providers?

Key findings

• DMARC requirement: For a DMARC 'pass', only one of SPF or DKIM needs to be aligned with the RFC5322.From domain.
• Best practice: Aligning both SPF and DKIM is considered a strong best practice, offering redundancy and a clearer signal of legitimacy to receiving mail servers.
• ISP enforcement: Major mailbox providers like Google and Yahoo are increasingly tightening their requirements, moving beyond mere recommendations to enforcing authentication and alignment, especially for high-volume senders (e.g., over 5,000 emails per day).
• ESP-specific configuration: Each email service provider (ESP) will have specific instructions for how to configure SPF and DKIM to ensure proper alignment, often involving adding CNAME or TXT records to your DNS.

Key considerations

• Shared vs. dedicated IP: On shared IPs, ESPs often handle the SPF alignment for the envelope sender, but DKIM alignment for your 5322.From domain is critical and usually requires your direct configuration.
• Impact on deliverability: Lack of proper alignment can lead to emails being rejected, sent to spam folders, or negatively impacting your domain's sending reputation.
• Multiple ESPs: If you use multiple ESPs (e.g., Mailchimp, HubSpot, SendGrid), each one requires individual setup for SPF and DKIM, with emphasis on DKIM alignment for your domain.
• Proactive approach: Instead of waiting for compliance thresholds to apply to you, it is advisable to implement full authentication and alignment as soon as possible. Our article on authentication best practices offers more details.
• Mailchimp specific guidance: For Mailchimp users, it is important to follow their email domain authentication instructions carefully to ensure proper setup and alignment.

Key opinions

• Alignment necessity: Many marketers, even those with low sending volumes, are realizing that SPF and DKIM alignment are not optional but essential for modern email deliverability.
• Multiple ESP challenges: Setting up authentication across multiple ESPs like Mailchimp, HubSpot, and SendGrid is a common task that requires individual configuration for each platform.
• DMARC reports: Marketers frequently review DMARC reports to identify authentication failures, but these reports are most useful when both SPF and DKIM are set up correctly and aligned.
• Impact on campaigns: Unauthenticated or misaligned emails directly impact campaign performance, leading to lower open rates and higher bounce rates due to messages landing in spam or being rejected.

Key considerations

• Custom domain authentication: It is crucial to set up custom domain authentication rather than relying on an ESP's shared identity to maximize deliverability and brand integrity. Our guide on setting up SPF and DKIM for email marketing provides a detailed overview.
• Proactive compliance: Waiting for stricter thresholds or deliverability issues before implementing alignment is a risky strategy that can severely harm sender reputation.
• Monitoring: Regularly monitoring Google Postmaster Tools and DMARC reports is essential to verify alignment and troubleshoot any emerging issues.
• Understanding Mail From: Marketers need to understand that the Mail From domain (envelope sender) is critical for SPF alignment, and often differs from the visible From: header.

Key opinions

• DKIM's crucial role: While DMARC requires only one of SPF or DKIM to align, experts often prioritize DKIM alignment, considering it more robust and less prone to issues than SPF, especially when SPF points to shared infrastructure. Read more about why DKIM alignment with the 5322.From domain is important.
• Proactive adoption: Experts urge senders to proactively implement full authentication and alignment, rather than waiting for enforcement thresholds to impact their specific sending volume.
• Enforcement shift: What were once best practices for alignment are now becoming mandatory requirements by major ISPs (internet service providers), signifying a shift towards stricter authentication policies.
• Inbox impact: Emails lacking proper authentication and alignment are increasingly likely to be sent to the spam folder or rejected outright, severely impacting deliverability rates.

Key considerations

• Vendor collaboration: When using ESPs, understand how they handle authentication and work with them to ensure your custom domain is properly aligned for both SPF and DKIM. Our article on considerations for different domains in authentication provides further insight.
• Operational feasibility: While full alignment is ideal, experts acknowledge that it might not always be operationally achievable for all setups, though it remains a target.
• Staying informed: Email authentication standards and mailbox provider requirements are dynamic. Continuously monitoring updates from major providers like Google and Yahoo is vital.
• DMARC thresholds: The public spam thresholds (e.g., 0.3%) are often higher than the actual thresholds that lead to significant deliverability problems, so aim for much lower spam rates.
• Comprehensive setup: For a complete authentication strategy, also consider how SPF, DKIM, and DMARC work together for reliable email delivery.

Key findings

• RFC 7489 (DMARC) requirements: DMARC mandates that either SPF or DKIM (or both) must authenticate and align with the RFC5322.From domain for a message to pass DMARC checks. For more details, consult a simple guide to DMARC, SPF, and DKIM.
• SPF alignment: SPF alignment checks if the domain in the MAIL FROM address (envelope sender) matches the RFC5322.From domain or a subdomain thereof.
• DKIM alignment: DKIM alignment verifies that the domain used to sign the email (the 'd=' tag in the DKIM signature) matches the RFC5322.From domain or a subdomain.
• Strict vs. relaxed: DMARC allows for both 'strict' (exact domain match) and 'relaxed' (subdomain allowed) alignment modes for SPF and DKIM. Strict alignment provides stronger authentication.

Key considerations

• Authentication standards: Mailbox providers are increasingly adhering to authentication standards laid out by RFCs and industry groups like M³AAWG, making alignment essential for deliverability. Refer to our guide on Outlook's new sender requirements.
• Avoiding spoofing: The primary goal of DMARC alignment is to prevent spoofing and phishing attacks by verifying that the displayed sender (From: header) is authorized to send mail from the authenticated domains.
• Reporting: DMARC reports provide valuable data on authentication failures, which often point to misalignment issues that need to be addressed. Understanding and troubleshooting DMARC reports is key.
• ESP configuration: Different ESPs may handle the envelope From address (used for SPF) and the DKIM signing domain in various ways, requiring senders to follow their specific setup instructions to ensure alignment.
• DMARC policy impact: A DMARC policy of p=quarantine or p=reject will only apply to emails that fail alignment, making proper alignment even more critical for enforcing your desired policy.