What is DMARC Alignment?
SPF and DKIM validate email from any registered domain. DMARC alignment is what ties authentication to your domain.
SPF and DKIM validate email from any registered domain. DMARC alignment is what ties authentication to your domain.
To understand DMARC alignment we need to understand how it works. When you implement DMARC, you tie the results of SPF and DKIM to authenticate all emails coming from your domain. For any given email, DMARC uses what’s known as the ‘central identity’, which is the domain found in the From: header. This is considered the domain of origin for your email, and will have your organization’s domain name in it.
When an email from your domain reaches the receiving server, SPF checks its Return Path and DKIM validates the encrypted signature. Both of these checks take place separately on two different domains. DMARC takes the authentication result of each and checks if the domain used in either SPF or DKIM matches the From: domain (the central identity). If either is true, DMARC alignment is achieved.
However, there’s just one small issue. Anyone, including criminals, can buy a domain and implement SPF and DKIM. So theoretically, it should be possible for someone to send an email with your organization’s domain in the From: address (the central identity) and have their own domain’s Return Path so as to pass SPF authentication. Users usually only see the From: address and not the Return Path, so they won’t even know that there’s a discrepancy between the two.
This is where DMARC alignment comes in. When your email is being validated, DMARC checks 3 identifiers:
If the identifiers for either SPF or DKIM are aligned, the email achieves DMARC alignment and passes DMARC authentication and is safely delivered to the user’s inbox.
SPF and DKIM alignment specifically have 2 kinds:
Strict alignment requires that domains in both the From: header and Return Path/”d=” DKIM field be a 100% match.
Relaxed alignment is more, well, relaxed in with its requirements. Even subdomains are allowed, as long as they’re under the same organizational domain (the From: domain).
DMARC alignment specifically addresses the limitations of SPF by ensuring that the From: and Return Path domains match, preventing attackers from trying to use different domains for each.
It also solves the loophole that can be used to exploit DKIM by requiring that the From: header also matches the domain given in the DKIM signature, removing the chances of someone forwarding the email with additional header fields.
What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide
Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator