DMARC Alignment: Relaxed vs Strict Alignment Modes

Blog

DMARC alignment is the process of aligning (or matching) domains under various sections of your email header during authentication checks.

by Maitham Al Lawati

Reading Time: 8 min
DMARC Alignment: Relaxed vs Strict Alignment Modes
Table Of Contents

Enabling DMARC (Domain-based Message Authentication Reporting and Conformance) puts in place a series of verification checkmarks to determine whether an email is originating from the claimant source. DMARC offers incredible flexibility in terms of policies and alignment modes that can be configured by the domain owner, to mold the level of security they want to achieve.

DMARC identifier alignment affirms that the domain name appended to various parts of an email message aligns correctly, indicating that the email is legitimate and not likely to be part of phishing or spoofing attempts.

Key Takeaways

  1. DMARC authentication provides a robust framework to verify the legitimacy of an email source.
  2. Alignment of SPF and DKIM identifiers is essential for achieving DMARC compliance and safeguarding against spoofing.
  3. Choosing between relaxed and strict DMARC alignment depends on your organization’s email practices and security goals.
  4. Forwarding emails can complicate DMARC alignment, often leading to authentication failures if not properly managed.
  5. Monitoring and adjusting your DMARC settings can significantly improve email deliverability and reduce the risk of fraud.

What is DMARC Alignment?

DMARC alignment is the process of aligning (or matching) domains under various sections of your email header during authentication checks. DMARC aligns for your email if the message passes either or both SPF and DKIM identifier alignments.

To ensure that your emails are legitimate and protected against a range of email fraud attacks that include phishing, spoofing, ransomware, and more.

spf dkim

The DMARC authentication protocol checks for DMARC identifier alignment to establish whether an email domain is potentially spoofed. When your email is being validated, DMARC checks 3 identifiers:

  • The From header
  • The Return-Path address
  • The domain name in the DKIM signature

If the identifiers for either SPF or DKIM authentication identifiers are aligned, the email achieves DMARC alignment and passes DMARC authentication, and is safely delivered to the user’s inbox.

Simplify Security with PowerDMARC!

Start 15-day trial Book a demo

How does DMARC Alignment work?

spf dkim header

To understand DMARC alignment we need to understand how it works. When you implement DMARC, you tie the results of SPF and DKIM to authenticate all emails coming from your domain. For any given email, DMARC uses what’s known as the ‘central identity’, which is the domain found in the From header. This is considered the domain of origin for your email and will have your organization’s domain name in it.

When an email from your domain reaches the receiving server, SPF checks its Return Path and DKIM validates the encrypted signature. Both of these checks take place separately on two different domains. DMARC takes the authentication result of each and checks if the domain used in either SPF or DKIM matches the From domain (the central identity). If either is true, DMARC alignment is achieved.

However, there’s just one small issue. Anyone, including criminals, can buy a domain and implement SPF and DKIM. So theoretically, it should be possible for someone to send an email with your organization’s domain in the From: address (the central identity) and have their own domain’s Return Path to pass SPF authentication. Users usually only see the From: address and not the Return Path, so they won’t even know that there’s a discrepancy between the two.

The Role of SPF and DKIM Identifier Alignment

Your authentication identifier alignment signifies whether or not your email sender is authorized to send the email on behalf of your domain. This can be determined by checking the email’s authenticity against SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail). Aligned emails ultimately pass sender verification checks, which can be used as a base example by receiving mail servers to demarcate malicious or unauthorized emails and filter them out. 

At PowerDMARC, we take it one step further by aligning your messages against both SPF and DKIM identifiers to help you reach 100% DMARC compliance for your emails while at p=reject policy. This helps you witness visible improvements in your email’s deliverability, and observe marked differences in your spam and bounce rates in just a few weeks with adequate monitoring and assistance from our dedicated technical support team. 

What factors may affect SPF and DKIM identifier alignment? 

  • Your third-party vendors email clients and email service providers may introduce complications and fail alignments
  • Your forwarded messages may fail alignment  

What is the solution?

PowerDMARC helps you correctly and accurately align all your third-party vendors and easily modify and update your records on the portal as you add more services and vendors, to make sure your legitimate email has the highest probability of reaching your clients. 

PowerDMARC helps you configure SPF, DKIM, and ARC along with DMARC to tackle those tricky email forwarding scenarios where intermediary servers may make modifications to your emails – leading to unwanted authentication failures. 

PowerDMARC’s intuitive interface helps you easily upgrade your policy record to maximum enforcement which ensures that your domain is adequately protected against email spoofing and phishing attacks. 

DMARC Alignment Types: Strict vs Relaxed Identifier Alignments 

DMARC identifier alignment can be of two types based on the level of severity and precision with which you want to conduct your authentication checks. Here’s what they are: 

1. DMARC Relaxed Alignment

SPF and DKIM alignment specifically have 2 kinds: relaxed and strict. If relaxed alignment is configured for both, this essentially means that you have implemented relaxed alignment for your overall DMARC implementation.

For both SPF and DKIM, in a relaxed alignment mode, even if the domain in the Mail From command and the domains in the Return-path header or bounce email address (for SPF) and DKIM signature (for DKIM) headers are an organizational match – DMARC alignment is a match. Subsequently, in this scenario, even subdomains will be aligned against DMARC.

The email should pass DMARC authentication on the email receiver’s side if the header domain aligns with either of the alignment requirements.

DMARC relaxed alignment example

v=DMARC1; p=reject; rua=mailto: [email protected]; aspf=r; adkim=r

Alignment settings decoded: The DMARC tags “aspf” and “adkim” are the respective alignment tags to define the mode of your choice, and “r” stands for relaxed.

2. DMARC Strict Alignment

If the domain owners enable strict alignment for both SPF and DKIM, this essentially means that you have implemented a strict mode for your overall DMARC implementation.

For both protocols, in a strict alignment mode, only if the domain in the From header and the domains in the Return-path (for SPF) and DKIM signature (for DKIM) headers are an exact match – DMARC alignment check is a match. Therefore, in this scenario, subdomains will not be aligned against DMARC.

DMARC strict alignment with examples

v=DMARC1; p=reject; rua=mailto: [email protected]; aspf=s; adkim=s

Alignment settings decoded: The DMARC tags “aspf” and “adkim” are the respective alignment mode tags to define the mode of your choice, and “s” stands for the alignment goal, which is strict.

Which DMARC Alignment Mode is Better?

The choice between relaxed and strict DMARC alignment modes depends on your organization’s email authentication protocol policies, your tolerance for false positives, and your overall security goals.

The Relaxed mode offers more flexibility and is less likely to produce false positives. It can be useful when you have multiple email systems or services sending emails on behalf of your domain, and they may use different subdomains. However, it is also less strict and may allow some emails with minor discrepancies to pass, potentially leaving room for spoofing or phishing attempts.

The Strict model enforces a stricter alignment policy, ensuring that the exact domain in the “From” header matches the domains specified in SPF and DKIM. While this provides stronger protection against spoofing and phishing, it can be less forgiving if your email infrastructure uses different subdomains for legitimate purposes. Implementing strict alignment may require careful configuration and monitoring to avoid blocking legitimate emails.

How to Monitor Emails on Strict DMARC Alignment?

PowerDMARC helps you monitor your emails while on a strict DMARC alignment policy with the help of our DMARC analyzer tool. We help you track your email-sending sources, check for alignment failures, and optimize your authentication configuration directly from our dashboard.

Contact us today to get started!

How to Check DMARC Alignment for Emails?

To verify DMARC alignment for your email messages, you can sign up on the PowerDMARC portal and follow the steps below: 

  • Go to Reporting in the main menu 
  • Click on DMARC Aggregate Reports and expand the drop down list
  • Select Per result from the list
  • Monitor your sending sources on a per result basis to view DMARC compliance and alignment details for every individual result

When DMARC Alignment Passes 

DMARC alignment will pass for the email if either DKIM or/and SPF identifier alignment passes, 

Why DMARC Alignment Fails 

DMARC alignment failure occurs when neither DKIM nor SPF identifiers align for the email. This typically happens when the domain in the Mail From header matches neither the domain in the return-path header nor the domain in the DKIM signature header. 

What is a Return-Path Domain? 

A return-path domain, also known as the bounce address or Envelope From domain is the domain that will receive your undelivered or bounced messages. In situations where an email is sent back or fails to get delivered, the hidden header field contains the Envelope From domain to which the email is returned. Even if you as a domain owner deploy third-party services to route your email messages, the email can be traced back to the parent domain using the bounce address. This is a clear demarcation between messages sent by bad actors and an actual sender who has good intentions.  

SPF domain SPF alignment during a DMARC check is determined by the domain in the return-path address. 

What is a DKIM Signature Domain?

A DKIM signature domain is the domain name used during the creation of DKIM signatures for your messages, i.e. the signing domain. When the DKIM domain alignment validation is in process during a DMARC check, the sender verifies whether the DKIM signature domain is in alignment with the From domain. DMARC alignment will pass on a relaxed DKIM mode if the organizational domain is a match. On a strict DKIM mode, DMARC alignment passes only if there is an exact domain match established. 

How Email Forwarding Affects DMARC Alignment

Forwarding email servers and email discussion lists introduces complications in the path of DMARC alignment by rewriting the “header from” address to the address of the forwarding server, as well as including new elements in the message body and content. These cause SPF alignment and DKIM alignment failures due to the Mail From domain identity not matching the rewritten bounce address and altered message content. 

How to Monitor Alignment Failures?

To monitor alignment you can enable aggregate reports and forensic reporting (failure reporting), which will help you monitor and meet your alignment goals, and fix deliverability issues faster.

Latest posts by Maitham Al Lawati (see all)
Web Security 101 – Best Practices and SolutionsWeb Security 101 - Best Practices and SolutionsGoogle ARCGoogle Includes ARC in 2024 Email Sender Guidelines