Back to Course
Լight modeDark mode

DMARC Identifier Alignment

  • To understand DMARC alignment, we first need to understand how it works. When you implement DMARC, you tie the results of SPF and DKIM to the domain your recipients actually see. For any given email, DMARC focuses on the domain found in the From: header, which RFC 9989 calls the Author Domain. This is the domain of origin for your mail and carries your organization's name.

 

  • When an email from your domain reaches the receiving server, SPF checks the Return-Path (envelope) domain and DKIM validates the message's cryptographic signature. These two checks operate on their own domains, independently of the From: header. DMARC takes each result and checks whether the domain that passed SPF or DKIM matches the Author Domain (the From: domain). If at least one of them matches, DMARC alignment is achieved.

 

  • There is a catch, though. Anyone, including an attacker, can register a domain and set up SPF and DKIM for it. So in principle someone could send a message with your organization's domain in the From: address while using their own domain in the Return-Path, letting the message pass SPF on that unrelated domain. Recipients usually see only the From: address and not the Return-Path, so they would not notice the discrepancy.
 

This is exactly what DMARC alignment addresses. During validation, DMARC looks at three identifiers:

  • The From: header (the Author Domain)
  • The Return-Path domain (used by SPF)
  • The signing domain in the DKIM signature (the d= value)

If the identifier behind either SPF or DKIM aligns with the Author Domain, the message achieves DMARC alignment, passes DMARC, and can be delivered normally.

SPF and DKIM alignment each come in two kinds:

  • Strict alignment
  • Relaxed alignment

Strict alignment requires the relevant domain (the SPF Return-Path domain, or the DKIM d= domain) to match the From: domain exactly.

Relaxed alignment is, as the name suggests, more lenient. A subdomain is accepted as long as it shares the same organizational domain as the From: address.

In short, DMARC alignment closes the gap that SPF and DKIM leave open on their own. By requiring that the SPF-passing or DKIM-signing domain actually correspond to the From: domain, it stops an attacker from passing authentication on some unrelated domain while still displaying your domain to the recipient. This is the core protection DMARC adds on top of SPF and DKIM.

DMARC Advanced >DMARC Identifier Alignment
Course content
0%
Advanced Email Authentication Course

DMARC Identifier Alignment