Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            What is DMARC Identifier Alignment?

            Created by Jason Carreiro, Modified on Tue, 02 May 2023 at 11:24 AM by Yves Lacombe

            Showing the identifiers used by SPF and DKIM and what identifier alignment means with respect to DMARC, shown with examples.


            On its own SPF validates the MAIL FROM/Return-PATH domain (or the HELO/EHLO hostname if MAIL FROM is empty)  and DKIM validates the domain specified in the “d=” field of the DKIM headers. If any of the above validate then that means a PASS.


            However, DMARC goes a step further as it does not only require SPF or DKIM to PASS but it also requires at least one of the domains used by SPF or DKIM to align with the domain found in the FROM header.



            SPF Alignment

             

            In the case of SPF, identifier alignment means that the MAIL FROM/RETURN-PATH check has to PASS and also the domain portion of the MAIL FROM/RETURN-PATH has to align with the domain found in the FROM address. In cases where the MAIL-FROM is empty (found with bounces), alignment is checked against the EHLO domain.


            Example:


            MAIL-FROM/RETURN-PATH: @somedomain.com
            From header: @ondmarc.com


            In this case, SPF Alignment would fail because the FROM header doesn't match the envelope MAILF-FROM or RETURN-PATH.


            In strict alignment the domains have to match exactly, whereas in relaxed alignment subdomains are also allowed as long as they come from the same organizational domain.

             

            Example:


            MAIL-FROM/RETURN-PATH: @ondmarc.com 
            From header: @knowledge.ondmarc.com


            In the above example, if DMARC was set to strict SPF mode then an email coming from knowledge.ondmarc.com would pass SPF but DMARC would fail as the domains do not match exactly ie. they are not aligned. However, in relaxed alignment mode DMARC would pass.



            DKIM Alignment


            In the case of DKIM, identifier alignment means that the domain specified by the “d=” field of the DKIM headers has to PASS and align to the domain found in the FROM header. Again, in strict alignment the domains in the “d=” field and FROM header have to match exactly whereas, in relaxed alignment, subdomains are also allowed as long as they come from the same organisational domain.



            Example:


            d= "ondmarc.com"
            From header: @knowledge.ondmarc.com

            In the above example, if DMARC was set to strict DKIM mode then an email coming from knowledge.ondmarc.com would pass DKIM but DMARC would fail as the domains do not match exactly ie. they are not aligned. However, in relaxed alignment mode DMARC would pass.




            Preview
            0 of 0