This post provides an in-depth look at SPF and DKIM alignment with examples. It also discusses DMARC reports and their types to help define aligned DMARC policies and the modes you can specify for DMARC alignment, including strict or relaxed.
A DMARC alignment is necessary to authenticate email senders of your domain. A DMARC reporting solution can help monitor email senders for efficient email administration. DMARC is a powerful tool for organizations and service providers against phishing, email spoofing, impersonation, fraud, and other cybercrimes. Let us explain what DMARC is before we define aligned DMARC.
What is DMARC?
A DMARC (Domain-based Message Authentication Reporting and Conformance) is a report that provides essential information offering sensitive details about all activities of an email domain. In addition, creating a DMARC entry in the domain’s Domain Name System (DNS) provides insightful information on various sources sending emails on your domain’s behalf.
DMARC reports are of two types, including:
- Aggregate DMARC reports: DMARC Aggregate reports or RUA is a general report that provides insight into the domain traffic or usage. DMARC Aggregate reports give information on email authentication results and their sources, i.e., the domain used by the sender, the IP (Internet Protocol) address, and the volume of emails sent within a specified time. These are received daily and include SPF and DKIM alignment results.
- Forensic DMARC reports: Forensic DMARC reports or RUF is a complete outline of an email’s activity and provides much information such as the IP address, subject, time, SPF, and DKIM alignment results, URLs (Uniform Resource Locator), email delivery result, and more. Forensic DMARC reports are generated every time the email fails the SPF and DKIM alignments and provides a more extensive report as compared to its aggregate counterpart.
A DMARC report acts as a line of defense. It verifies the integrity and consistency of all email sources by evaluating their domains and header domains (such as the sender’s address). DMARC reports are a great tool against email spoofing and are recommended by security professionals to avoid phishing, malicious artists, and more.
DMARC Alignment Defined
An alignment is checked to successfully authenticate the sender’s address from the “From” header to verify actual senders.
In simple terms, alignment refers to the domain’s full or partial matching (as per the defined aligned policy) with the alignment settings. This is better explained with the different types of DMARC alignment.
Types of DMARC alignment
There are two types of DMARC alignment, namely:
- SPF Alignment: SPF stands for Sender Policy Framework and is the matching of two types of headers in emails. For SPF alignment to be successful and the email sender’s identity to be verified, the domain in the “From” header must match the domain in the “Return-Path” header. If both DNS domains are the same, the SPF matches, i.e., aligns, and will produce a pass result.
- DKIM Alignment: DKIM stands for DomainKeys Identified Mail and refers to the matching of the domain specified in an email’s “From” header with the DKIM-Signature. The DKIM signature contains a “d=” value where the domain is specified for matching with the “From” header domain. DKIM alignment is different from SPF alignment as it validates if the sender is authorized to send mails from the domain and verifies that no content has been changed during email transit.
DMARC Alignment Examples
Let us look at an example to provide a clearer picture of what DMARC alignment means.
- DKIM Alignment Example: Suppose you are using mydomain.com to send mail using espdom.com. The email service provider would sign all emails utilizing a DKIM signature using espdom.com, which passes as valid. But, as espdom.com does not align with the domain you are using to send the email, i.e., mydomain, the DKIM alignment will not pass. In order for it to pass, the email service provider will have to sign all emails using mydomain.com. Such an email would be DMARC aligned.
- SPF Alignment Example: Suppose you are using mydomain.com to send mail using espdom.com, where the email service provider has set email bounces and utilizes a “Return-Path” header via email@example.com. The SPF alignment would fail since the domain in the return path differs from mydomain.com. In order for it to pass SPF alignment, the email service provider would have to change the domain in the “Return-Path” header, so it matches with mydomain.com.
DMARC Alignment Modes
You can specify both SPF and DKIM alignments to follow a particular type of mode, including:
- Strict Mode: Alignment mode defined as strict means an exact match is required in the alignment’s case. This means that the domain in the FQDN (Fully Qualified Domain Name) header must match the return path in case of SPF alignment and the signing domain in case of DKIM alignment.
- Relaxed Mode: Alignment mode defined as relaxed allows some flexibility and needs only a partial match. This means that the organizational domain matches, i.e., aligns with the return path in case of SPF alignment and the signing domain in case of DKIM alignment.
You can specify the strict or relaxed alignment in the “aspf” and “adkim” fields in a DMARC record by providing the value as “r” for relaxed and “s” for strict.
Final WordsDMARC alignment is a crucial process that can disallow unauthorized domain name usage, provide visibility into your domain users, improve email deliverability, and help identify malicious actors using your domain for email spoofing, spam, fraud, and more. Understanding and utilizing DKIM alignment and how SPF and DKIM alignments work can help provide a set of instructions for the email message and email sender validation, which is a crucial step in email deliverability today since nearly 333.2 billion emails will be exchanged in 2022.