SPF Alignment
Having a thorough understanding of alignment is important for any DMARC project, regardless of email volume, program complexity or third-party source sending email on your behalf. The good news is that there isn’t much to learn.
While DMARC provides domain owners with both visibility and overarching control over how their domain is being used, alignment is achieved on a much more granular level.
Alignment helps prove that the domain owner has taken responsibility for the message and authorized the email source to send on their behalf. This is accomplished by publishing explicit entries into DNS, as provided by the email source doing the actual sending. When considering that access to DNS is heavily guarded, these are tasks that can only be carried out by the true domain owner. As such, keep the following in mind:
- Emails that are aligned are DMARC compliant and pass DMARC.
- Emails that fail alignment do not pass DMARC.
For an email to align, the domain seen by humans in the From header (e.g., hello@dmarcian.com) must match either of the domains used to pass SPF or DKIM.
Table/Example
Specifically for SPF alignment, the domain used in the From address must match the domain used to pass SPF.
- It’s important to know that SPF checks are done against the domain found in the Return-Path header, not the domain found in the From address.
- The industry never came to an agreement on what to call this value, so you may have heard it referred to as either the bounce domain, envelope-domain, MailFrom domain or RFC 5321 domain. We even call it by a few things too!
- The Return-Path header is an element in the message itself, much like the subject line, cc/bcc recipients, etc.
- Simply adding IP addresses or include statements to your SPF record may not be sufficient. You likely need to complete a configuration step with the email sources sending on your behalf to change their default value in order to begin using your domain. At the onboarding stage with your email source, they likely made this configuration optional though, more and more, sources are making it a requirement, especially in light of Yahoo and Google’s intention to enforce email standards and best practices in early 2024. Email sources didn’t want to bother you with this additional configuration because it was perceived as a roadblock for less technical users.
- Where supported, we recommend the use of a subdomain. Subdomains help isolate the reputation of that particular mail stream and help you avoid some of the inherent limitations associated with SPF (e.g., 10 lookup max, bounce processing, etc.)
- Each email source will have some variation on the instructions they provide. Some will provide individual IP addresses to add to your DNS, whereas others will provide an include statement. Both of these options work just fine.
- Whereas the dmarcian application provides some general guidance on how to configure SPF for each email source (see Source Capabilities), you should follow the instructions provided by the vendor.
Though SPF and DKIM are more common technologies than DMARC, hopefully after reading this guide you’ll understand that neither SPF or DKIM, on their own, have anything to do with the visible From address. This misinterpretation is why phishing, spoofing, Shadow IT and other forms of domain abuse run rampant today.
There are very few controls that prohibit bad actors from sending an email as you. The primary control to observe and restrict domain usage is DMARC.