What is DKIM Alignment?

DKIM alignment helps domain owners verify the sending domain's authority over a message. It works by comparing two domains associated with the email (the DKIM signature is added to the message headers during signing). The relationship between these two domains reveals whether the signing is tied to the domain the recipient sees:

1. The From: header domain (the RFC5322.From domain)
2. The domain in the d= tag of the DKIM-Signature header (the DKIM signing domain)

DKIM alignment modes (set in your DMARC record)

1. Relaxed (adkim=r): an organizational-domain match between the DKIM signing domain and the From: domain is enough for DKIM alignment to pass; an exact match is not required.
2. Strict (adkim=s): an exact match between the DKIM signing domain and the From: domain is required for DKIM alignment to pass.

Note that adkim is a tag in your DMARC record, published in DNS, not something that appears in the DKIM-Signature header of the message.

Example 1: DKIM alignment passes

The signing domain (domain.com) in the DKIM-Signature exactly matches the From: domain. DKIM alignment passes.

Example 2: DKIM alignment fails

The signing domain (xyz.org) does not match the From: domain (domain.com). DKIM alignment fails.

Example 3: passing under relaxed alignment

DMARC record (published in DNS):

Message:

Here, the signing domain (domain.com) matches the organizational domain of the From: address (marketing.domain.com reduces to domain.com). Because the DMARC record sets adkim=r (relaxed),an organizational match is enough, so DKIM alignment passes.

Note: with adkim=s (strict),this same message would fail alignment, because strict mode requires the signing domain and the From: domain to match exactly, and a subdomain is not an exact match.