This post is not going to go into the basics of DMARC because there are plenty of resources out there on what DMARC is and how to enforce it. For the purpose of this post, however, I will preface it with saying DMARC is an enhancement on SPF and DKIM email security protocols. I assume you know about the DMARC tags and specifically the aspf and adkim tags which apply to alignment.

DMARC Alignment

DMARC alignment is a way to ensure that the email sender’s identity is consistent and legitimate. It involves matching the domain in the “From” address of an email (what you see as the sender) with the domains authenticated by SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

There are two types of alignment:

1. SPF Alignment: This checks if the domain in the “From” address matches the domain in the “Return-Path” header.
2. DKIM Alignment: This checks if the domain in the “From” address matches the domain in the DKIM signature.

DMARC alignment helps prevent email spoofing and phishing by ensuring that only authorized senders can use your domain. If the domains don’t match, the email fails DMARC and can be flagged or rejected by the recipient’s email server.

DMARC Alignment modes

DMARC offers two alignment modes:

1. DMARC Relaxed Alignment (Default)
2. DMARC Strict Alignment

In relaxed alignment, the domain in the “From” address does not need to match the domain in the SPF and DKIM checks exactly. Instead, it only needs to share the same organizational domain. For example:

If the “From” address is user@apples.com, the domain in the SPF check could be mail.apples.com. The domain in the DKIM check could be apples.com. In this example, as long as all these domains share the same organizational domain (apples.com), the email will pass the relaxed alignment check.

In strict alignment, the domain in the “From” address must exactly match the domain used in the SPF and DKIM checks. For example:

If the “From” address is user@apples.com, the domain in the SPF check must be apples.com, the domain in the DKIM check must be apples.com and if there are any discrepancies, such as a different subdomain being used, the email will fail the strict alignment check.

If you do not specify the adkim and aspf tags in the DMARC policies, the default alignment mode is relaxed for both DKIM and SPF. It is therefore recommended that you leave the alignment mode for both SPF and DKIM as the default (relaxed) until such time as you can be sure that the “From” address domain will match exactly the SPF and DKIM domains.