How to use DKIM to sign emails with different header from domains to comply with DMARC?

Key findings

• DKIM for DMARC alignment: DKIM is highly effective for achieving DMARC alignment when the Header-From domain differs from the Envelope-From (or Return-Path) domain.
• Alignment requirement: For a DMARC pass, either SPF or DKIM must align with the Header-From domain. It is not necessary for both to align, though it can be beneficial.
• DKIM d= tag: The domain specified in the DKIM d= tag within the DKIM signature must match, or be a subdomain of, the Header-From domain for DKIM alignment. This can be either exact or relaxed alignment.
• Multiple DKIM keys: It is permissible and often necessary to have multiple DKIM keys for different sending purposes or third-party email service providers (ESPs). Each key can cover specific domains or subdomains.

Key considerations

• Header-from alignment: Focus your DKIM efforts on aligning with the Header-From domain, as this is the primary domain DMARC uses for authentication checks. For more details on this, see our guide on how to fix DKIM from domain mismatch.
• Transactional vs. marketing emails: If you have different sending setups for transactional and marketing emails, ensure both are correctly authenticated. This often means different DKIM configurations for each, even if they share the same Header-From domain.
• SPF alignment: While DKIM is crucial for Header-From alignment, do not neglect SPF. It provides alignment with the Return-Path domain and remains a vital part of email authentication. Learn more about how SPF, DKIM, and DMARC work together.
• DMARC enforcement: While DMARC can pass with only one aligned identifier (SPF or DKIM), striving for both to align (full alignment) can provide stronger protection against spoofing and improve overall deliverability. Consider our guide on implementing DMARC p=reject safely.

Key opinions

• DKIM as the primary solution: Many marketers view DKIM as the most direct method to achieve DMARC compliance when the visible From domain differs from the sending domain.
• DMARC alignment basics: There's a general understanding that DMARC requires either SPF or DKIM to align with the Header-From domain, not necessarily both.
• Challenges with enforcement: While achieving a DMARC pass is attainable with DKIM, transitioning to stricter DMARC policies like p=quarantine or p=reject can be tricky without full understanding.
• Transactional email concerns: Marketers frequently express specific concerns about transactional emails, as their technical setup often involves different Return-Path domains provided by ESPs.

Key considerations

• DKIM for Header-From: Prioritize setting up DKIM for your Header-From domain, as this is the direct path to DMARC alignment. This is especially important if your Envelope-From domain is different (e.g., from an ESP).
• Understanding DMARC alignment: Educate yourself on how DMARC works with both SPF and DKIM, focusing on the concept that only one (either SPF or DKIM) needs to align for a DMARC pass. Our resource how DMARC works can help clarify this.
• Multiple keys and domains: Be prepared to implement multiple DKIM keys if you use various sending platforms or subdomains. Each platform or subdomain might require its own unique DKIM record to ensure proper authentication across all your email streams. You can read more about setting up DKIM.
• Troubleshooting alignment: If emails fail DMARC, first check DKIM alignment with the Header-From domain. This is a common issue with a straightforward solution.

Key opinions

• DKIM alignment is key: Experts confirm that if the DKIM d= value matches the Header-From domain (or a root domain under relaxed alignment), DMARC alignment will be achieved.
• Single alignment sufficient: DMARC only requires alignment with either SPF or DKIM to pass, not necessarily both simultaneously. One valid alignment is enough.
• Multiple DKIM keys: It is common and acceptable for an ESP to sign emails with both a client-branded DKIM key and a network-level key. Multiple DKIM keys are entirely permissible.
• Building towards full alignment: While a single alignment is sufficient for a DMARC pass, experts suggest that striving for full alignment (both SPF and DKIM aligning) should be a long-term goal for optimal deliverability and security.

Key considerations

• DKIM for Header-From: Ensure that the domain used in your DKIM signature's d= tag matches the domain of your Header-From address. This is the critical step for DMARC alignment via DKIM, even if other domains like the Return-Path differ. Our guide on what is header.i can provide more context.
• Evaluating sending configurations: For complex setups, such as transactional emails sent via a different mail server (like ferozo.com in the example), ensure that the DKIM key aligns with the Header-From domain, even if other domains in the mail path are different. You can read our guide on setting up email authentication for multiple ESPs.
• Proactive monitoring: Regularly monitor your DMARC reports to ensure continuous alignment and identify any potential issues that could lead to deliverability problems or being placed on a blocklist (or blacklist).
• Understanding relaxed vs. strict alignment: Familiarize yourself with the differences between relaxed and strict DMARC alignment. Relaxed alignment allows for subdomain matches, which can be beneficial for managing various email streams. You can refer to Mailgun's explanation on DKIM.

Key findings

• DKIM's role in DMARC: Documentation confirms DKIM is a robust method for authenticating emails and enabling DMARC alignment, especially when the Header-From domain differs from the Envelope-From.
• Domain alignment mechanism: For DKIM to pass DMARC alignment, the domain in the d= tag of the DKIM signature must match or be a valid subdomain of the Header-From domain. This can be configured as strict or relaxed.
• DMARC flexibility: RFCs and guides clarify that a DMARC record will pass if either the SPF or DKIM authentication mechanism successfully aligns with the Header-From domain, providing flexibility for senders with diverse email infrastructures.
• Signature elements: A DKIM signature includes various tags, such as v (version), a (algorithm), c (canonicalization), d (domain), s (selector), h (signed headers), among others, all contributing to the verification process.

Key considerations

• DNS record publishing: To enable DKIM, a public key must be published as a TXT record in your domain's DNS. This record is then used by receiving mail servers to verify the DKIM signature. Learn more about DMARC implementation.
• Selector usage: The DKIM selector (the s= tag) allows you to use multiple DKIM keys for the same domain, which is useful when sending through different systems or for key rotation. See our guide on common DKIM selectors.
• Header signing: Ensure that the From header (and potentially others) is included in the list of signed headers within your DKIM configuration. This guarantees that changes to the From header will invalidate the signature, preventing spoofing.
• Troubleshooting: When issues arise, check the DKIM signature in email headers (e.g., ARC-Authentication-Results) to confirm which domains are being signed and whether the signature is passing. Tools exist to help troubleshoot DKIM implementation issues.