DKIM Domain Alignment Failures – RFC 5322 Fixes
by
Reading Time: 6 min
An RFC 5322 alignment error occurs when the domain in the “From:” header (visible to users) doesn’t match the DKIM d= domain (in the signature). DMARC requires that the domain in the “From:” header aligns with the domain authenticated by either SPF or DKIM.
DKIM helps check if an email was manipulated in transit. For DMARC purposes, DKIM also authenticates the identity of the domain claiming to send the email (via d=). DMARC checks if the “From:” address in an email message matches the domains authenticated by SPF and DKIM.
Key Takeaways
- An RFC 5322 alignment error occurs when the domain in the “From:” header doesn’t match the domain specified in the DKIM signature (d= tag).
- DKIM domain alignment is necessary to pass DMARC if SPF alignment fails or is absent.
- The two alignment modes in DMARC are strict and relaxed.
- The use of email marketing tools and email forwarding can cause RFC 5322 DKIM alignment mismatch.
- Always match DKIM and “From:” domains, set the relevant alignment mode, maintain the original “From:” header, and add subdomain DKIM keys.
What is RFC 5322?
RFC 5322 defines the syntax for Internet email headers, including the “From:” header. DKIM and DMARC rely on these headers for authentication. SPF, on the other hand, checks the envelope sender (MAIL FROM) as per RFC 5321. RFC 5322 was published in October 2008, and it is now a standard for formatting email headers and bodies.
If there were no alignment requirements, attackers could have simply used valid SPF or DKIM records from one domain while spoofing the “From:” address of another. With the alignment requirement in place, the job of the hackers becomes much more challenging: if the domains do not align, DMARC authentication will fail, and the email will either be sent to spam or get rejected outright.
What is DKIM Domain Alignment?
To best understand what DKIM domain alignment is, it would be useful to first understand how DKIM functions.
What DKIM Is and How It Works
DKIM (DomainKeys Identified Mail) is an email authentication protocol that enables an individual or an organization to take responsibility for the transmission of an email. It adds a digital signature that mailbox providers can check to ensure the email hasn’t been manipulated in transit.
When sending an email, the sending domain signs outgoing messages with a private key. Then, the receiving server checks the signature with the help of a public key that is published in the domain’s DNS.
The “d=” tag, a key component of the DKIM signature, specifies the domain that is responsible for signing the message. This domain is included in the DKIM header and is used by receiving servers to check the public key for verification.
The difference between relaxed and strict alignment modes in DMARC
DMARC alignment helps ensure that the domain in the “From:” header matches the domain authenticated by SPF or DKIM. There are two alignment modes in DMARC: relaxed or strict.
- Relaxed Alignment: The domain in the “From:” header only needs to match the organizational domain used in SPF or DKIM authentication. This is a more ‘forgiving’ and flexible mode, and it’s especially useful when using subdomains or third-party email services.
- Strict Alignment: In the case of strict alignment mode, the domain in the “From:” header needs to exactly match the domain used in SPF or DKIM authentication.
| Alignment Mode | From: Header Example | DKIM d= Example | DMARC Result |
|---|---|---|---|
| Strict | [email protected] | d=example.com | ✅ Pass |
| Strict | [email protected] | d=example.com | ❌ Fail |
| Relaxed | [email protected] | d=example.com | ✅ Pass |
| Relaxed | [email protected] | d=mail.example.com | ✅ Pass (same organizational domain, based on Public Suffix List) |
Why DKIM and RFC 5322 Alignment Matters
The main aim of the DKIM and RFC 5322 alignment requirement is to prevent unauthorized access.
Core Issue: DMARC’s Alignment Requirement
DMARC requires that the domain in the email’s “From:” header to at least partially align with the domain specified in the DKIM signature’s “d=” field. In strict alignment, the domains must match exactly. In relaxed alignment, they should at least share the same organizational domain.
Common Mismatch Scenarios
Here are some of the most common mismatch scenarios:
Use of Marketing Tools
Marketing tools often send emails from addresses such as [email protected] but sign them with a DKIM “d=example.com” domain. In such a situation, if DKIM alignment is set to strict alignment (adkim=s) it is likely that you will see the DKIM signature alignment fail.
Email Forwarding
While forwarding usually affects SPF more than DKIM, DKIM can also fail during forwarding, but only if the message is modified (e.g., by mailing lists). Note that the “From:” header is rarely changed by forwarders.
Here is an example of misalignment:
- From: [email protected] (RFC 5322 header)
- DKIM-Signature: d=example.com (misaligned domain and DMARC fails)
Common Causes of Alignment Issues
Some of the most common causes of alignment failures include:
Third-Party Service Usage
When you send emails via third-party external providers that do not properly configure domain alignment, you are likely to experience DKIM domain RFC 5322 alignment failure.
DKIM Record Misconfiguration
When your DKIM records or selectors are set up incorrectly, a misalignment is likely to occur. Even a minor error in the setup can lead to major failures impacting your email deliverability.
Domain Inconsistencies
When you use different domains in the DKIM signature and the “From:” header, it should be no surprise to experience an RFC 5322 From header mismatch. Whether the domain inconsistency is due to an oversight and misconfiguration, or is part of your setup intentionally, in both cases, a mismatch and subsequent problems are quite likely.
How to Diagnose RFC 5322 Alignment Failures
Here are two quick steps to help you diagnose the RFC 5322 alignment problem.
- If you want to diagnose RFC 5322 alignment failures, first, carefully review your DMARC reports for entries with the reason “dkim alignment failed.”
- Next, you can use email authentication tools such as a DKIM checker or the dig command to verify your DNS records. This will help you confirm that DKIM signatures are properly published and match your sending domain.
How to Fix DKIM-RFC 5322 Misalignment
Here are some easy-to-implement steps to fix the DKIM-RFC 5322 misalignment.
1. Match DKIM and From Domains
Always ensure the DKIM signature uses the same domain as the “From:” header. This is best for emails sent directly from your domain.
2. Set Alignment Mode
Ensure you set the alignment mode that best suits your preferences and needs. Use adkim=s for strict alignment (when exact match required) or adkim=r for relaxed alignment (to also allow subdomains) in your DMARC policy.
3. Add Subdomain DKIM Keys
If you use subdomains in your ‘From:’ address, ensure DKIM is configured to sign messages using that exact subdomain or adjust your DMARC alignment mode accordingly.
4. Preserve the Initial “From:” Header
You should configure your email services to preserve the original “From:” domain in the message header. There may be times during email forwarding where intermediaries may unintentionally modify the “From:” header or other parts of the message, potentially breaking DKIM alignment and causing DMARC failures. Maintaining the original “From:” header helps preserve domain alignment, and when combined with ARC (Authenticated Received Chain), it can provide additional authentication context to help the recipient server evaluate the message’s legitimacy despite intermediary changes.
5. Test and Validate
Testing and validating is an often overlooked yet key step in the process. There are many freely accessible tools that you can use to check domain alignment and DKIM setup. Using such tools will help you ensure that DMARC authentication passes and your message is delivered to the intended recipient.
Pro Tips
Here are additional tips for error-free alignment.
SPF + DKIM Alignment
DMARC compares the domain in the RFC 5322.From header against domains authenticated by SPF (MAIL FROM) and DKIM (d=).
Avoid Third-Party Tools Breaking Headers
Try not to use third-party email service providers (ESPs) that break or alter headers. You can test ESPs for compliance before you move to full deployment. This will help you avoid delivery issues while also ensuring compliance.
Summing Up
An RFC 5322 alignment error may arise in various situations, particularly when using email marketing tools or engaging in email forwarding. Some of the most common causes include the use of third-party services, misconfiguration of DKIM records, and domain inconsistencies.
You can easily diagnose RFC 5322 alignment failures with a DMARC report analyzer, helping you quickly detect and identify authentication issues through visual, human-readable DMARC data.
PowerDMARC can help you start your journey toward error-free email authentication and prevent alignment failures. To get started, take your 15-day free trial today!
Domain & Email Security Expert at PowerDMARC
Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.
Latest posts by Yunes Tarada (see all)
- SPF Neutral Mechanism (?all) Explained: When and How to Use It - June 23, 2025
- DKIM Domain Alignment Failures – RFC 5322 Fixes - June 5, 2025
- DMARCbis Explained – What’s Changing and How to Prepare - May 19, 2025
