Back to Course
Լight modeDark mode

DMARC Identifier Alignment

  • To understand DMARC alignment we need to understand how it works. When you implement DMARC, you tie the results of SPF and DKIM to authenticate all emails coming from your domain. For any given email, DMARC uses what’s known as the 'central identity', which is the domain found in the From: header. This is considered the domain of origin for your email and will have your organization’s domain name in it.
 
  • When an email from your domain reaches the receiving server, SPF checks its Return Path and DKIM validates the encrypted signature. Both of these checks take place separately on two different domains. DMARC takes the authentication result of each and checks if the domain used in either SPF or DKIM matches the From: domain (the central identity). If either is true, DMARC alignment is achieved. 
 
  • However, there’s just one small issue. Anyone, including criminals, can buy a domain and implement SPF and DKIM. So theoretically, it should be possible for someone to send an email with your organization’s domain in the From: address (the central identity) and have their own domain’s Return Path so as to pass SPF authentication. Users usually only see the From: address and not the Return Path, so they won’t even know that there’s a discrepancy between the two.
 
 
 

This is where DMARC alignment comes in. When your email is being validated, DMARC checks 3 identifiers:

  • The From: header
  • The Return Path address
  • The domain name in the DKIM signature
 

If the identifiers for either SPF or DKIM  are aligned, the email achieves DMARC alignment and passes DMARC authentication and is safely delivered to the user’s inbox.

 

SPF and DKIM alignment specifically have 2 kinds:

  • Strict alignment
  • Relaxed alignment
 

Strict alignment requires that domains in both the From: header and Return Path/”d=” DKIM field be a 100% match.

Relaxed alignment is more, well, relaxed in with its requirements. Even subdomains are allowed, as long as they’re under the same organizational domain (the From: domain).

DMARC alignment specifically addresses the limitations of SPF by ensuring that the From: and Return Path domains match, preventing attackers from trying to use different domains for each.

It also solves the loophole that can be used to exploit DKIM by requiring that the From: header also matches the domain given in the DKIM signature, removing the chances of someone forwarding the email with additional header fields.

Course content
Advanced Email Authentication Course