DMARC Alignment: Strict Vs. Relaxed Alignment Modes
Enabling DMARC puts in place a series of verification checkmarks to determine whether an email is originating from the claimant source. DMARC offers incredible flexibility in terms of policies and alignment modes that can be configured by the domain owner, to mould the level of security they want to achieve.
DMARC identifier alignment affirms that the domain name appended to various parts of an email message aligns correctly, indicating that the email is legitimate and not likely to be part of phishing or spoofing attempts.
What is DMARC Alignment?
DMARC alignment is the process of aligning (or matching) domains under various sections of your email header during authentication checks to ensure that your emails are legitimate and protected against a range of email fraud attacks that include phishing, spoofing, ransomware, and more.
The DMARC authentication protocol checks for DMARC identifier alignment to establish whether an email domain is potentially spoofed. When your email is being validated, DMARC checks 3 identifiers:
- The From: header
- The Return Path address
- The domain name in the DKIM signature
If the identifiers for either SPF or DKIM are aligned, the email achieves DMARC alignment and passes DMARC authentication, and is safely delivered to the user’s inbox.
How does DMARC Alignment work?
To understand DMARC alignment we need to understand how it works. When you implement DMARC, you tie the results of SPF and DKIM to authenticate all emails coming from your domain. For any given email, DMARC uses what’s known as the ‘central identity’, which is the domain found in the From: header. This is considered the domain of origin for your email, and will have your organization’s domain name in it.
When an email from your domain reaches the receiving server, SPF checks its Return Path and DKIM validates the encrypted signature. Both of these checks take place separately on two different domains. DMARC takes the authentication result of each and checks if the domain used in either SPF or DKIM matches the From: domain (the central identity). If either is true, DMARC alignment is achieved.
However, there’s just one small issue. Anyone, including criminals, can buy a domain and implement SPF and DKIM. So theoretically, it should be possible for someone to send an email with your organization’s domain in the From: address (the central identity) and have their own domain’s Return Path so as to pass SPF authentication. Users usually only see the From: address and not the Return Path, so they won’t even know that there’s a discrepancy between the two.
DMARC Relaxed Alignment: Configuring Top-level Domain Matches
SPF and DKIM alignment specifically have 2 kinds: relaxed and strict. If relaxed alignment is configured for both, this essentially means that you have implemented relaxed alignment for your overall DMARC implementation.
For both SPF and DKIM, in a relaxed setup, even if the domain in the From header and the domains in the Return-path (for SPF) and DKIM signature (for DKIM) headers are an organizational match – DMARC alignment is a match. Subsequently, in this scenario, even subdomains will be aligned against DMARC.
DMARC relaxed alignment example
v=DMARC1; p=reject; rua=mailto:[email protected]; aspf=r; adkim=r
The DMARC tags “aspf” and “adkim” are the respective alignment tags to define the mode of your choice, and “r” stands for relaxed.
DMARC Strict Alignment: Configuring Exact Domain Matches
If the domain owners enable strict alignment for both SPF and DKIM, this essentially means that you have implemented strict alignment for your overall DMARC implementation.
For both protocols, in a strict setup, only if the domain in the From header and the domains in the Return-path (for SPF) and DKIM signature (for DKIM) headers are an exact match – DMARC alignment is a match. Therefore, in this scenario, subdomains will not be aligned against DMARC.
DMARC relaxed alignment example
v=DMARC1; p=reject; rua=mailto:[email protected]; aspf=s; adkim=s
The DMARC tags “aspf” and “adkim” are the respective alignment tags to define the mode of your choice, and “s” stands for strict.
Relaxed Vs Strict: Which DMARC Alignment Mode is Better?
The choice between relaxed and strict DMARC alignment modes depends on your organization’s email authentication policies, your tolerance for false positives, and your overall security goals.
The Relaxed mode offers more flexibility and is less likely to produce false positives. It can be useful when you have multiple email systems or services sending emails on behalf of your domain, and they may use different subdomains. However, it is also less strict and may allow some emails with minor discrepancies to pass, potentially leaving room for spoofing or phishing attempts.
The Strict model enforces a stricter alignment policy, ensuring that the exact domain in the “From” header matches the domains specified in SPF and DKIM. While this provides stronger protection against spoofing and phishing, it can be less forgiving if your email infrastructure uses different subdomains for legitimate purposes. Implementing strict alignment may require careful configuration and monitoring to avoid blocking legitimate emails.
How to Monitor Emails on Strict DMARC Alignment?
PowerDMARC helps you monitor your emails while on a strict DMARC alignment policy with the help of our DMARC analyzer tool. We help you track your email sending sources, check for alignment failures, and optimize your authentication configuration directly from our dashboard.
Contact us today to get started!
- Web Security 101 – Best Practices and Solutions - November 29, 2023
- What is Email Encryption and What are its Various Types? - November 29, 2023
- What is MTA-STS? Setup the Right MTA STS Policy - November 25, 2023
