Summary
The 'Alignment' line in Gmail's 'Show Original' view is a critical indicator of DMARC compliance and email legitimacy. It verifies that the domain displayed in the email's 'From' header (the sender seen by the recipient) precisely matches, or is a subdomain of, the domain used for either SPF or DKIM authentication. This check is central to preventing email spoofing and ensuring that the sender's visible identity is consistent with their authenticated identity. If this alignment fails, even if SPF or DKIM individually pass, DMARC will fail, potentially leading to a warning for the recipient or the application of the sender's DMARC policy. Google has actively worked on refining this display, including addressing issues related to double DKIM signing by Email Service Providers (ESPs), to ensure accurate reporting of sender authenticity.
Key findings
- Definition of Alignment: Gmail's 'Alignment' line signifies whether the domain in the visible 'From' header matches the domain authenticated by either SPF (via the Return-Path) or DKIM (via the 'd=' tag in the signature).
- Core to DMARC: This alignment is a fundamental principle of DMARC. For a DMARC 'pass', at least one of these authentication methods (SPF or DKIM) must successfully align its domain with the 'From' domain.
- Gmail Display: When alignment is successful and DMARC passes, Gmail displays 'DMARC: PASS'. Conversely, a warning message, such as 'The 'From' header sender xxx does not match the DKIM domain xxx', is shown if alignment fails, indicating potential spoofing.
- Google's Fixes: Initial issues with Gmail's alignment warning, particularly concerning double DKIM signing orders, appear to have been resolved by Google, with previously flagged emails now showing as aligned.
Key considerations
- Alignment Types: Understand the difference between 'Strict' alignment, which requires an exact domain match, and 'Relaxed' alignment, which permits a subdomain match, for both SPF and DKIM.
- Double DKIM Signing: If using an ESP that double signs emails, be aware of how the signing order might affect Gmail's alignment display. While Google appears to have fixed initial display issues, it's worth monitoring, especially if you observe delivery impacts.
- DMARC Policy Impact: A failed alignment means DMARC will fail, which can trigger your DMARC policy (p=reject, p=quarantine) and significantly impact inbox placement.
- IP Addresses are Irrelevant: The IP address used for sending plays no role in Gmail's 'Alignment' check; it solely focuses on domain matching for SPF and DKIM.
What email marketers say
12 marketer opinions
Gmail's 'Alignment' line, visible in the 'Show Original' view, is a direct reflection of a crucial DMARC check that validates sender identity. It confirms whether the domain displayed in the 'From' header, which recipients see, properly matches the domain authenticated by either SPF (the Return-Path domain) or DKIM (the 'd=' tag within the signature). This verification is paramount for preventing email spoofing and ensuring that the sender's visible brand identity is genuinely linked to their authenticated email infrastructure. A successful alignment leads to a DMARC 'PASS' status, while a mismatch can trigger explicit warnings to the recipient and activate DMARC policies, influencing email deliverability. Google has shown active development in ensuring the accuracy of this alignment display, even for complex setups like double DKIM signing.
Key opinions
- Sender Identity Validation: Gmail's "Alignment" is a direct DMARC validation that confirms the visible "From" header domain aligns with the authenticated domain from either SPF or DKIM.
- SPF and DKIM Specifics: For SPF, alignment means the "From" domain matches the "Return-Path" domain. For DKIM, it means the "From" domain corresponds to the "d=" domain in the DKIM signature.
- Gmail's Visual Cues: Successful alignment results in a "DMARC: PASS" display, whereas failures prompt explicit warnings, such as "The 'From' header sender xxx does not match the DKIM domain xxx," signaling potential spoofing.
- Google's Continuous Refinement: Google has actively addressed and resolved initial display issues related to alignment, particularly concerning the order of multiple DKIM signatures from Email Service Providers.
- IP Address Irrelevance: It is important to note that IP addresses do not factor into Gmail's "Alignment" check; the focus is exclusively on domain-to-domain matching.
Key considerations
- DMARC Policy Enforcement: A failure in alignment means DMARC will not pass, which can directly trigger your DMARC policy, leading to emails being rejected or quarantined and significantly impacting inbox placement.
- Relaxed vs. Strict Alignment: Understand that alignment can be "Relaxed," allowing subdomain matches, or "Strict," requiring an exact domain match. This distinction impacts how your DMARC policies are applied.
- Double DKIM Scenarios: While Google has made improvements, some Email Service Providers use double DKIM signing, which historically caused alignment issues depending on the signing order. Continue to monitor if your ESP's setup might affect this.
- Prioritizing DKIM Alignment: Experts suggest prioritizing aligned DKIM for robust authentication, as it is often favored for DMARC validation.
- Regular Monitoring for Deliverability: Consistent monitoring of your email's "Alignment" status in Gmail's "Show Original" is crucial to ensure optimal deliverability and DMARC compliance.
Marketer view
Email marketer from Email Geeks explains that Gmail's "Alignment" line specifically refers to the alignment between the domain in your "From" header (what the user sees) and the DKIM domain used to sign the email. He clarifies that IP addresses play no role in this alignment and emphasizes the encouragement of aligned DKIM over SPF.
15 Aug 2023 - Email Geeks
Marketer view
Email marketer from Email Geeks explains that from her observations, if an email fails to meet alignment rules, Gmail now displays a warning message like: "_The 'From' header sender xxx does not match the DKIM domain xxx. Exercise caution with this message, as the sender may be attempting to spoof the 'From' header identity_". Conversely, successful alignment shows a 'DMARC: PASS' confirmation.
4 May 2022 - Email Geeks
What the experts say
3 expert opinions
The 'Alignment' line in Gmail's 'Show Original' is a key component of DMARC authentication, designed to verify the legitimacy of the sender. It specifically checks that the domain visible in the 'From:' header aligns with the domain used for either SPF (via the Return-Path) or DKIM (via the 'd=' tag). This alignment can be strict or relaxed. A successful alignment leads to a DMARC 'PASS' status in Gmail, while a failure triggers a warning, even if SPF or DKIM individually pass. This mechanism is crucial for preventing domain spoofing and ensuring brand authenticity. Google has also made efforts to refine the display of these warnings, particularly concerning scenarios like double DKIM signing, which should ideally not impact DMARC alignment.
Key opinions
- DMARC Verification: Gmail's 'Alignment' line explicitly shows the result of a critical DMARC check, confirming if the visible 'From' domain matches the authenticated domain via SPF or DKIM.
- Specific Alignment Criteria: This alignment mandates that the domain in the 'From' header must correspond to the SPF Return-Path domain or the DKIM 'd=' tag domain for a successful DMARC pass.
- Failure Consequences: A misalignment, even if SPF or DKIM individually pass, results in a DMARC failure, which can trigger sender policy actions and may indicate a spoofing attempt.
- Google's Display Enhancements: Google has made continuous improvements to accurately display DMARC alignment status and warnings, including resolving past issues related to multiple DKIM signatures.
Key considerations
- Beware of Unreliable Advice: Exercise caution with DMARC and deliverability advice from non-expert sources like MXtoolbox, as their recommendations may be based on scare tactics rather than accurate information.
- Strict vs. Relaxed Modes: Understand how 'Strict' (requiring an exact domain match) and 'Relaxed' (allowing subdomains) alignment modes affect DMARC validation and your domain's authentication results.
- Double DKIM Considerations: While Google has addressed display issues, the practical implications of an ESP's double DKIM signing-especially the order-should be monitored if deliverability is impacted, though it typically won't affect alignment directly.
- DMARC Passes on Alignment: A core principle is that DMARC only passes if SPF or DKIM align with the 'From' domain; individual SPF or DKIM passes are insufficient without this alignment.
Expert view
Expert from Email Geeks explains that MXtoolbox recommendations should not be trusted due to their scare tactics. She clarifies that a message passes DMARC if SPF is aligned and that there is no DMARC line visible in the Gmail headers. She further explains that if a DMARC record exists AND DMARC passes, Gmail displays "DMARC pass," even if it's based solely on SPF alignment. Conversely, if there is no DMARC record and DKIM doesn't align, a warning is displayed. She concludes that Google has likely fixed the display of this warning. She also shares insights on double DKIM signing, suggesting ESPs should sign with their key first, then the customer's, but notes signing and display order may be unconnected and advises against changes unless there's a clear delivery impact.
29 Oct 2024 - Email Geeks
Expert view
Expert from Word to the Wise explains that the 'Alignment' line in Gmail's 'Show Original' refers to DMARC alignment. This means the domain in the visible 'From:' header must match the domain that passed either SPF (via the Return-Path) or DKIM (via the 'd=' tag in the signature). If this alignment fails, DMARC will fail, even if SPF or DKIM individually passed, indicating a potential spoofing attempt or configuration error.
12 Jan 2024 - Word to the Wise
What the documentation says
4 technical articles
The 'Alignment' line in Gmail's 'Show Original' view is a critical indicator that reflects a core principle of DMARC-based email authentication. It verifies that the domain presented in the visible 'From' header of an email precisely matches, or is a subdomain of, the domain used for either SPF or DKIM authentication. This crucial check ensures that the sender's identity seen by recipients is genuinely linked to their authenticated email infrastructure, serving as a powerful safeguard against spoofing and impersonation. For DMARC to successfully pass, this alignment must be achieved, meaning that simply passing SPF or DKIM individually is not enough; their authenticated domains must correspond with the sender's visible domain.
Key findings
- Visible Sender Verification: The 'Alignment' line in Gmail's 'Show Original' verifies that the domain in the email's visible 'From' header corresponds to the domain authenticated by either SPF or DKIM.
- DMARC's Central Principle: This alignment is a core requirement for DMARC. For DMARC to pass, the 'From' domain must align with the domain used for SPF authentication (Return-Path) or DKIM authentication ('d=' tag).
- Ensuring Identity Consistency: Its primary function is to guarantee that the sender's identity, as perceived by the recipient, is consistent with the identity validated by the underlying email authentication protocols.
- Anti-Spoofing Measure: By linking the visible 'From' domain to the authenticated domains, 'Alignment' provides a crucial layer of defense against email spoofing and fraudulent messages.
Key considerations
- Impact on DMARC: The 'Alignment' status directly determines whether your DMARC policy will be applied. If alignment fails, DMARC also fails, which can lead to emails being rejected or quarantined.
- Strict vs. Relaxed Modes: It's important to differentiate between 'Strict' alignment, requiring an exact domain match, and 'Relaxed' alignment, which permits a subdomain match. Both are valid for DMARC.
- Holistic Authentication: Merely passing SPF or DKIM individually is insufficient for DMARC. The key is that at least one of these authentication methods must align its domain with the visible 'From' header domain.
- Preventing Impersonation: This alignment check is a fundamental defense against impersonation and spoofing, ensuring that the sender's visible identity matches their verified authentication.
Technical article
Documentation from Google Workspace Admin Help explains that the 'Alignment' line in Gmail's 'Show Original' view indicates whether the domain in the 'From' header (the visible sender) aligns with the domain authenticated by SPF or DKIM. For DMARC to pass, either the SPF-authenticated domain or the DKIM-authenticated domain must exactly match the 'From' domain (strict alignment) or be a subdomain of it (relaxed alignment).
6 Jan 2022 - Google Workspace Admin Help
Technical article
Documentation from dmarc.io shares that the 'Alignment' principle, visible in Gmail's 'Show Original', is central to DMARC. It requires that the domain used in either SPF or DKIM authentication must match the organizational domain found in the email's 'From:' header. This ensures that the sender's identity, as seen by the recipient, is consistent with the identity verified by the authentication protocols, preventing spoofing.
18 Mar 2024 - dmarc.io
How do the new Gmail/Yahoo changes affect sending from a branded domain with DMARC alignment?
Is DKIM domain alignment required for Google and Yahoo's new email sending requirements?
What is the difference between DKIM alignment and DKIM authentication and how do they relate to email bouncebacks and Hotmail blocks when using SFMC shared IPs?
Why does Aboutmy.email show no DKIM signature but other tools validate DKIM? How do SPF alignment and DMARC work?
Why does Gmail show 'via' even when DMARC passes?
Why is DKIM alignment with the 5322.from domain important for email authentication?
