DKIM Domain Alignment Failures
An RFC 5322 alignment error occurs when the domain in the “From:” header (visible to users) doesn’t match the DKIM d= domain (in the signature). DMARC requires that the domain in the “From:” header aligns with the domain authenticated by either SPF or DKIM.
What is RFC 5322?
RFC 5322 defines the syntax for Internet email headers, including the “From:” header. DKIM and DMARC rely on these headers for authentication. SPF, on the other hand, checks the envelope sender (MAIL FROM) as per RFC 5321. RFC 5322 was published in October 2008, and it is now a standard for formatting email headers and bodies.
If there were no alignment requirements, attackers could have simply used valid SPF or DKIM records from one domain while spoofing the “From:” address of another. With the alignment requirement in place, the job of the hackers becomes much more challenging: if the domains do not align, DMARC authentication will fail, and the email will either be sent to spam or get rejected outright.
Why DKIM and RFC 5322 Alignment Matters
The main aim of the DKIM and RFC 5322 alignment requirement is to prevent unauthorized access.
Core Issue: DMARC’s Alignment Requirement
DMARC requires that the domain in the email’s “From:” header to at least partially align with the domain specified in the DKIM signature’s “d=” field. In strict alignment, the domains must match exactly. In relaxed alignment, they should at least share the same organizational domain.
Common Mismatch Scenarios
Here are some of the most common mismatch scenarios:
Use of Marketing Tools
Marketing tools often send emails from addresses such as [email protected] but sign them with a DKIM “d=example.com” domain. In such a situation, if DKIM alignment is set to strict alignment (adkim=s) it is likely that you will see the DKIM signature alignment fail.
Email Forwarding
While forwarding usually affects SPF more than DKIM, DKIM can also fail during forwarding, but only if the message is modified (e.g., by mailing lists). Note that the “From:” header is rarely changed by forwarders.
Here is an example of misalignment:
- From: [email protected] (RFC 5322 header)
- DKIM-Signature: d=example.com (misaligned domain and DMARC fails)
Common Causes of Alignment Issues
Some of the most common causes of alignment failures include:
Third-Party Service Usage
When you send emails via third-party external providers that do not properly configure domain alignment, you are likely to experience DKIM domain RFC 5322 alignment failure.
DKIM Record Misconfiguration
When your DKIM records or selectors are set up incorrectly, a misalignment is likely to occur. Even a minor error in the setup can lead to major failures impacting your email deliverability.
Domain Inconsistencies
When you use different domains in the DKIM signature and the “From:” header, it should be no surprise to experience an RFC 5322 From header mismatch. Whether the domain inconsistency is due to an oversight and misconfiguration, or is part of your setup intentionally, in both cases, a mismatch and subsequent problems are quite likely.
How to Diagnose RFC 5322 Alignment Failures
Here are two quick steps to help you diagnose the RFC 5322 alignment problem.
- If you want to diagnose RFC 5322 alignment failures, first, carefully review your DMARC reports for entries with the reason “dkim alignment failed.”
- Next, you can use email authentication tools such as a DKIM checker or the dig command to verify your DNS records. This will help you confirm that DKIM signatures are properly published and match your sending domain.
How to Fix DKIM-RFC 5322 Misalignment
Here are some easy-to-implement steps to fix the DKIM-RFC 5322 misalignment.
1. Match DKIM and From Domains
Always ensure the DKIM signature uses the same domain as the “From:” header. This is best for emails sent directly from your domain.
2. Set Alignment Mode
Ensure you set the alignment mode that best suits your preferences and needs. Use adkim=s for strict alignment (when exact match required) or adkim=r for relaxed alignment (to also allow subdomains) in your DMARC policy.
3. Add Subdomain DKIM Keys
If you use subdomains in your ‘From:’ address, ensure DKIM is configured to sign messages using that exact subdomain or adjust your DMARC alignment mode accordingly.
4. Preserve the Initial “From:” Header
You should configure your email services to preserve the original “From:” domain in the message header. There may be times during email forwarding when intermediaries may unintentionally modify the “From:” header or other parts of the message, potentially breaking DKIM alignment and causing DMARC failures. Maintaining the original “From:” header helps preserve domain alignment, and when combined with ARC (Authenticated Received Chain), it can provide additional authentication context to help the recipient server evaluate the message’s legitimacy despite intermediary changes.
5. Test and Validate
Testing and validating is an often overlooked yet key step in the process. There are many freely accessible tools that you can use to check domain alignment and DKIM setup. Using such tools will help you ensure that DMARC authentication passes and your message is delivered to the intended recipient.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is a DNS Lookup? Free4 m
- Understanding the 10 DNS Lookup Limit for SPF Records Free3 m
- SPF Void Lookups Explained Free2 m
- Creating and Optimizing SPF records for your own domain Free4 m
Video Free2 m- What is SPF Permerror and How to Fix It Free7 m
- Video Free2 m
- SPF Flattening Free5 m
- SPF Macros Free9 m
- Video Free2 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DKIM Alignment? Free3 m
- DKIM Domain Alignment Failures Free6 m
- How to Set Up DKIM for Microsoft Office 365? Free4 m
- How to Set Up DKIM for Google Workspace? Free3 m
- How to Set Up DKIM for MailChimp? Free4 m
- How to Set Up DKIM for SendGrid? Free3 m
- How to Set Up DKIM for Salesforce? Free3 m
- How to Set Up DKIM for Zoho Mail? Free3 m
- DMARC RFC 9989, 9990 and 9991 Free5 m
- What is DMARC Compliance? Free2 m
- DMARC Compliance Requirements Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
- Video - PowerDMARC Aggregate Reports Free2 m 13 s
- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free0 s
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free0 s
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s