DKIM Alignment
Having a thorough understanding of alignment is important for any DMARC project, regardless of email volume, program complexity or third-party source sending email on your behalf. The good news is that there isn’t much to learn.
While DMARC provides domain owners with both visibility and overarching control over how their domain is being used, alignment is achieved on a much more granular level.
Alignment helps prove that the domain owner has taken responsibility for the message and authorized the email source to send on their behalf. This is accomplished by publishing explicit entries into DNS, as provided by the email source doing the actual sending. When considering that access to DNS is heavily guarded, these are tasks that can only be carried out by the true domain owner. As such, keep the following in mind:
- Emails that are aligned are DMARC compliant and pass DMARC.
- Emails that fail alignment do not pass DMARC.
For an email to align, the domain seen by humans in the From header (e.g., hello@dmarcian.com) must match either of the domains used to pass SPF or DKIM.
Table/Example
Specifically for DKIM alignment, the domain used in the From address must match the domain used to pass DKIM.
- It’s important to know that DKIM checks are done against the domain found in the d= portion of the signature and not the domain found in the From address. d= stands for “domain.”
- It’s not uncommon for there to be multiple DKIM signatures. So long as one of them uses the same domain as seen in the From address, your messages should be aligned.
- Though DMARC requires that only SPF or DKIM align, we recommend a DKIM-first approach. DKIM tends to be an easier technology to adopt and also survives forwarding/relaying.
- Each email source will have some variation on the instructions they provide. Some will provide a TXT record to add to your DNS, whereas others will provide a CNAME record. Both of these options work just fine.
- Whereas the dmarcian application provides some general guidance on how to configure DKIM for each email source (see Source Capabilities), you should follow the instructions provided by the vendor.
Though SPF and DKIM are more common technologies than DMARC, hopefully after reading this guide you’ll understand that neither SPF or DKIM, on their own, have anything to do with the visible From address. This misinterpretation is why phishing, spoofing, Shadow IT and other forms of domain abuse run rampant today.
There are very few controls that prohibit bad actors from sending an email as you. The primary control to observe and restrict domain usage is DMARC.