What is DMARC Alignment

When implementing DMARC, you will hear the phrase ‘DMARC Identifier Alignment’ a lot, but what exactly does it mean?

It is the relation between the return path domain and the FROM HEADER of an email. Since SPF and DKIM authenticate only the return path domain and ignore the FROM HEADER, DMARC addresses this with its alignment mechanism. This may sound a little complicated so let's take a closer look and break it down

As we know, anyone can spoof any domain very easily. However, DMARC alignment adds a layer of assurance where the FROM HEADER will be cross referenced and matched to both SPF’s return path and the DKIM’s domain tag.

alt text

The DMARC Alignment mechanism will look for SPF alignment and DKIM domain tag in the email header rather than searching directly for “DMARC Alignment”. You can manually do this yourself by opening up your email header and cross checking the FROM HEADER with SPF’s return path and the DKIM’s domain tag

  • Checking the FROM HEADER with the return-path
  • Checking the FROM HEADER with the embedded key attributes within your DKIM signature.

alt text

DMARC comes with alignment modes (Strict and Relaxed) for both SPF and DKIM. When strict mode is opted for, both originating domain as well as the FROM header domain must be identical. Relaxed alignment however, is much more suitable if subdomains are used to send emails, where only the top level domains should be identical.