Showing the identifiers used by SPF and DKIM and what identifier alignment means with respect to DMARC, shown with examples.
On its own SPF validates the MAIL FROM/Return-PATH domain (or the HELO/EHLO hostname if MAIL FROM is empty) and DKIM validates the domain specified in the “d=” field of the DKIM headers. If any of the above validate then that means a PASS.
However, DMARC goes a step further as it does not only require SPF or DKIM to PASS but it also requires at least one of the domains used by SPF or DKIM to align with the domain found in the FROM header.
SPF Alignment
In the case of SPF, identifier alignment means that the MAIL FROM/RETURN-PATH check has to PASS and also the domain portion of the MAIL FROM/RETURN-PATH has to align with the domain found in the FROM address. In cases where the MAIL-FROM is empty (found with bounces), alignment is checked against the EHLO domain.
Example:
MAIL-FROM/RETURN-PATH: @somedomain.com
From header: @ondmarc.com
In this case, SPF Alignment would fail because the FROM header doesn't match the envelope MAILF-FROM or RETURN-PATH.
In strict alignment the domains have to match exactly, whereas in relaxed alignment subdomains are also allowed as long as they come from the same organizational domain.
Example:
MAIL-FROM/RETURN-PATH: @ondmarc.com
From header: @knowledge.ondmarc.com
In the above example, if DMARC was set to strict SPF mode then an email coming from knowledge.ondmarc.com would pass SPF but DMARC would fail as the domains do not match exactly ie. they are not aligned. However, in relaxed alignment mode DMARC would pass.
DKIM Alignment
In the case of DKIM, identifier alignment means that the domain specified by the “d=” field of the DKIM headers has to PASS and align to the domain found in the FROM header. Again, in strict alignment the domains in the “d=” field and FROM header have to match exactly whereas, in relaxed alignment, subdomains are also allowed as long as they come from the same organisational domain.
Example:
d= "ondmarc.com"
From header: @knowledge.ondmarc.com
In the above example, if DMARC was set to strict DKIM mode then an email coming from knowledge.ondmarc.com would pass DKIM but DMARC would fail as the domains do not match exactly ie. they are not aligned. However, in relaxed alignment mode DMARC would pass.