Email authentication

What is alignment?

DMARC is all about verifying that the address in the ‘From’ header is the actual sender of the message.

To achieve this, the technical settings to verify senders DKIM and SPF are used. However, both DKIM and SPF do not require the From header and the user identity for either DKIM or SPF to match.

Alignment means that these domains should match (or a partially match when using a relaxed setup).

For DKIM this means that the domain used to create the signature (and provided through the d= parameter), should match the ‘From’ header.

For SPF this is the domain in the RFC5321.MailFrom (MAIL FROM) portion of SMTP or the RFC5321.EHLO/HELO domain, or both. These may be different domains, and they are typically not visible to the end user. Most of the time the ‘Return-Path’ header is used for this.

Example for DKIM:

You send mail from using This ESP correctly signs these mails with a DKIM signature. They do this using their domain This DKIM signature itself is valid as passes. However, as the signing domain does not match your domain, these messages are not aligned. The ESP should sign the messages using to make these messages DMARC compliant.

Example for SPF:

You send mail from using This ESP has setup bounce processing and therefor use a ‘Return-Path’ header of [email protected]. The ESP has whitelisted their own servers through their SPF record. However, as the domain in the Return-Path header does not match, these messages do not align. The ESP should change the Return-Path header or add an aligned DKIM signature.