Understanding DMARC Alignment
DMARC alignment is the requirement that the email's From domain must align with either the SPF or DKIM authentication domain. Without alignment, an email could pass SPF or DKIM but still be spoofed. Alignment is the critical piece that connects technical authentication to policy enforcement.
The Alignment Problem
Without Alignment
Consider what could happen without DMARC alignment:
Email From: [email protected]
SPF passes for: mail.google.com
DKIM passes for: mail-google.com
But:
- Email appears to come from example.com (From domain)
- Actually authenticated for google.com (SPF/DKIM domain)
- These domains don't match!
Without alignment requirement:
- Spoofed email with "[email protected]" but Google's server
- Technical authentication passes (google.com authenticated)
- But From domain (example.com) not authenticated
- DMARC without alignment: Wouldn't catch this spoofing
With DMARC alignment:
- From domain (example.com) must match authenticated domain
- Fails alignment check
- DMARC policy applied (reject/quarantine)
How DMARC Alignment Works
SPF Alignment
SPF alignment checks:
Email From: [email protected]
SPF authenticated server: mail.google.com
SPF domain result: google.com (from SPF record)
From domain: example.com
For alignment:
- Strict: Must match exactly (example.com = example.com)
- Relaxed: Can match parent domain (example.com parent of subdomain)
Alignment modes:
Strict alignment (adkim=s):
From: example.com
SPF result: example.com
✓ Aligned (exact match)
From: example.com
SPF result: mail.example.com
✗ Not aligned (subdomain doesn't match)
Relaxed alignment (adkim=r, default):
From: example.com
SPF result: example.com
✓ Aligned
From: example.com
SPF result: mail.example.com
✓ Aligned (subdomain of example.com)
DKIM Alignment
DKIM alignment checks:
Email From: [email protected]
DKIM signature: [email protected]
DKIM domain (d= parameter): example.com
From domain: example.com
For alignment:
- Strict: Must match exactly
- Relaxed: Can match parent domain
Alignment modes:
Strict alignment (aspf=s):
From: example.com
DKIM d=: example.com
✓ Aligned
From: example.com
DKIM d=: mail.example.com
✗ Not aligned (different subdomain)
Relaxed alignment (aspf=r, default):
From: example.com
DKIM d=: example.com
✓ Aligned
From: example.com
DKIM d=: mail.example.com
✓ Aligned (same parent domain)
DMARC Alignment Requirements
Passing DMARC
An email passes DMARC if:
DMARC alignment one of:
✓ SPF passes AND aligned, OR
✓ DKIM passes AND aligned
AND
Applied policy is met:
p=reject → All non-aligned rejected
p=quarantine → All non-aligned quarantined
p=none → All processed, just reports
Full DMARC Flow
Email received
↓
Check SPF:
├─ Pass: Check alignment with From domain
│ ├─ Aligned (strict or relaxed): ✓ SPF pass
│ └─ Not aligned: ✗ SPF fail
└─ Fail: ✗ SPF fail
Check DKIM:
├─ Pass: Check alignment with From domain
│ ├─ Aligned (strict or relaxed): ✓ DKIM pass
│ └─ Not aligned: ✗ DKIM fail
└─ Fail: ✗ DKIM fail
DMARC check:
├─ SPF pass AND aligned: ✓ DMARC pass
├─ DKIM pass AND aligned: ✓ DMARC pass
├─ Both fail or misaligned: ✗ DMARC fail
└─ Apply policy (reject/quarantine/none)
Real-World Alignment Examples
Example 1: Perfect Alignment
Setup:
Domain: example.com
SPF record: v=spf1 include:sendgrid.net ~all
DKIM: selector._domainkey.example.com
DMARC: _dmarc.example.com p=reject; adkim=r; aspf=r
Email sent from SendGrid:
From: [email protected] (From domain: example.com)
Envelope-from: [email protected] (SPF domain: example.com)
DKIM-Signature: d=example.com (DKIM domain: example.com)
SPF result: pass (example.com ← example.com)
Alignment: ✓ Aligned (parent matches)
DKIM result: pass (example.com ← example.com)
Alignment: ✓ Aligned (exact match)
DMARC: ✓ PASS (either SPF or DKIM aligned)
Example 2: Subdomain Misalignment
Setup:
Domain: example.com
Mail server: mail.example.com (has its own DKIM key)
SPF: v=spf1 include:example.com ~all
DMARC: adkim=s aspf=s (strict alignment)
Email from mail.example.com:
From: [email protected] (From domain: example.com)
DKIM signature: d=mail.example.com (DKIM domain: mail.example.com)
DKIM result: pass
Alignment check (strict): mail.example.com ≠ example.com
✗ Not aligned (strict requires exact match)
With relaxed (adkim=r):
✓ Aligned (mail.example.com is subdomain of example.com)
Example 3: Third-Party Service
Setup:
Domain: example.com
Using Zendesk for support email
DMARC: p=quarantine; adkim=r; aspf=r
Email from Zendesk:
From: [email protected] (appears to be from you)
SPF result: pass (zendesk.com)
DKIM signature: d=zendesk.com
SPF alignment: example.com ≠ zendesk.com (at parent level)
✗ Not aligned
DKIM alignment: example.com ≠ zendesk.com
✗ Not aligned
DMARC: ✗ FAIL (neither SPF nor DKIM aligned)
Applied policy: p=quarantine → Email goes to spam
Issue: Service sending as your domain but can't authenticate as your domain
Solution:
Option 1: Have service use subdomain ([email protected])
Option 2: Change From: address to zendesk
Option 3: Have service sign with your DKIM key (if supported)
Why Alignment Matters
Without Alignment Requirement
Attackers could still spoof:
Email From: [email protected]
SPF passes for: attacker.com
DKIM passes for: attacker.com
Email appears from your boss
Technical auth passes (attacker.com authenticated)
User thinks it's from boss, not attacker.com
DMARC without alignment: Couldn't catch this
Result: Spoofing still possible!
With Alignment Requirement
Same email:
From: [email protected]
SPF domain: attacker.com
DKIM domain: attacker.com
Alignment check:
From domain (example.com) ≠ SPF domain (attacker.com)
From domain (example.com) ≠ DKIM domain (attacker.com)
DMARC result: ✗ FAIL (no aligned auth)
Applied policy: Rejected (p=reject)
Email never reaches inbox - spoofing prevented!
Configuring Alignment
DMARC Alignment Tags
_dmarc.example.com TXT: "v=DMARC1;
adkim=r; # DKIM alignment mode (r=relaxed, s=strict)
aspf=r; # SPF alignment mode (r=relaxed, s=strict)
p=reject # Policy (none/quarantine/reject)
"
Choosing Strict vs. Relaxed
Use Relaxed (r) if:
- Different mail servers/subdomains sending
- Using third-party email services with your domain
- Need flexibility but still strong authentication
From: [email protected]
DKIM d=mail.example.com
✓ Relaxed: Accepted (subdomain aligned)
✗ Strict: Rejected (exact match required)
Use Strict (s) if:
- Only specific systems send from domain
- Want maximum spoofing protection
- Can control all sending infrastructure
From: [email protected]
DKIM d=mail.example.com
✗ Strict: mail.example.com must match exactly
Recommended:
- Start with:
adkim=r; aspf=r;(relaxed) - Monitor for failures
- Gradually move to
adkim=s; aspf=s;as infrastructure aligns
Common Alignment Issues
Issue 1: Third-Party Service Not Aligned
Problem:
Using service that sends as your domain
But service doesn't have your DKIM key
Service can't align DKIM
SPF alignment also fails
Solutions:
- Best: Have service sign with your DKIM key
- Good: Have service use subdomain ([email protected])
- Acceptable: Use relaxed alignment, monitor reports
Issue 2: Multiple Mail Servers
Problem:
Mail server 1: mail1.example.com (DKIM d=example.com)
Mail server 2: mail2.example.com (DKIM d=mail2.example.com)
Mail2 DKIM won't align strictly
Solutions:
- Use same DKIM domain for all (d=example.com for both)
- Use relaxed alignment
- Consolidate to one mail server
Issue 3: Subdomain Sending as Parent
Problem:
Newsletter: newsletters.example.com
Sending From: [email protected] (parent domain)
Solutions:
- Option 1: Send From [email protected] or [email protected]
- Option 2: Have newsletters align with parent domain
- Option 3: Use DKIM from parent domain
Alignment Modes Comparison
| Scenario | Relaxed (r) | Strict (s) |
|---|---|---|
| From: [email protected], SPF: example.com | ✓ | ✓ |
| From: [email protected], SPF: mail.example.com | ✓ | ✗ |
| From: [email protected], SPF: other.com | ✗ | ✗ |
Best Practices
1. Start with Relaxed Alignment
adkim=r;
aspf=r;
p=none; # Monitor only, no enforcement
2. Monitor Alignment Reports
Review DMARC reports for alignment failures:
- Identify legitimate failures
- Fix alignment issues
- Note any suspicious patterns
3. Gradually Increase Strictness
Week 1-2: p=none; adkim=r; aspf=r
Week 3-4: p=quarantine; adkim=r; aspf=r
Week 5-6: p=reject; adkim=r; aspf=r
Week 7+: p=reject; adkim=s; aspf=s (if possible)
4. Ensure All Senders Align
- Configure all mail services with your domain's DKIM
- Verify SPF includes all legitimate senders
- Test alignment before enforcement
Testing Alignment
Manual Test
# Send test email
# Check headers for:
# Authentication-Results: example.com; dmarc=pass (or fail)
# Use MXToolbox DMARC checker
# Shows alignment status
Automated Monitoring
# Parse DMARC aggregate reports
# Check alignment statistics
# Alert on failures
Conclusion
DMARC alignment is the bridge between email authentication (SPF/DKIM) and spoofing prevention. By requiring that the From domain align with either SPF or DKIM authentication domain, DMARC prevents sophisticated spoofing attacks that would pass basic SPF or DKIM checks.
Understanding alignment modes (relaxed vs. strict) and properly configuring them ensures you protect against spoofing while maintaining compatibility with legitimate sending services. Proper alignment configuration is essential for effective DMARC deployment and maximum email security.
Start with relaxed alignment, monitor, and gradually increase strictness as your infrastructure aligns properly with your authentication mechanisms.
