Understanding DMARC Alignment:
SPF And DKIM In Perfect Harmony

Email authentication is vital for cybersecurity, playing a key role in combating phishing, spoofing, and unauthorized email access. DMARC (Domain-based Message Authentication, Reporting & Conformance) relies on two essential mechanisms: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). For effective DMARC implementation, proper alignment of these protocols is necessary.

This article will discuss DMARC alignment, its importance, and how to configure SPF and DKIM collaboratively to enhance email security.


What is DMARC Alignment?


DMARC alignment verifies that the domain in the "From" header of an email corresponds with the domain validated by SPF and/or DKIM. This alignment is essential, as SPF and DKIM alone do not confirm the actual sender, making it possible for spoofing attacks to occur.

There are two types of alignment in DMARC:

  • SPF Alignment: Verifies that the return-path domain aligns with the displayed "From" domain.

  • DKIM Alignment: Verifies that the DKIM signature's domain (d= value) aligns with the displayed "From" domain.

To enhance DMARC effectiveness and prevent domain spoofing, it is essential to align both SPF and DKIM.



dmarc



Understanding SPF Alignment


What is SPF?

SPF is an email authentication technique that confirms if a message originates from an authorized mail server. It utilizes DNS TXT records to identify the IP addresses allowed to send emails for a specific domain.


How SPF Alignment Works

SPF alignment compares the MAIL FROM (Envelope From) domain to the header From domain. 

There are two alignment modes:

  • Relaxed Alignment: The domains should have a common organizational root, such as mail.example.com and example.com.

  • Strict Alignment: Domains must match precisely; for instance, mail.example.com is not equivalent to example.com.

Common SPF Alignment Issues

  • Third-Party Email Senders: When a vendor like Mailchimp or Google Workspace sends emails using your domain, the return-path domain may differ from your "From" domain.

  • Forwarded Emails: Forwarding can disrupt SPF validation because the forwarder's IP may not appear in the original SPF record.

  • Multiple SPF Records: A domain must maintain a single SPF record, as having multiple records can lead to SPF validation issues.

Fixing SPF Alignment

  • Use a custom MAIL FROM domain: Set up external services to use a subdomain of your primary domain for sending emails (e.g., mail.example.com instead of mail.thirdparty.com).

  • Modify the DMARC policy to permit relaxed SPF alignment if strict alignment proves overly limiting.

  • Verify that SPF records are correctly formatted and refrain from having multiple entries. Visit www.dmarcreport.com for more details.


Understanding DKIM Alignment


What is DKIM?

DKIM enables email senders to add a cryptographic signature to their messages, allowing recipients to verify authenticity via public DNS records. This process guarantees the integrity of the email during transmission.


How DKIM Alignment Works

To achieve DKIM alignment, the domain specified by d= in the DKIM signature should correspond to the "From" domain in the email header. Similar to SPF, DKIM offers both relaxed and strict alignment options.

  • Relaxed Alignment: The DKIM signing domain should be part of the same organizational domain (e.g., marketing.example.com must align with example.com).

  • Strict Alignment: The signing domain must exactly match the "From" domain.

DMARC will fail if the DKIM signature is valid but misaligned, unless SPF also passes with alignment.

Common DKIM Alignment Issues

  • Third-Party Senders: Numerous email services use their own domains for signing (d=thirdparty.com), resulting in alignment issues.

  • Missing or Incorrect DKIM Signatures: Certain email servers might remove DKIM signatures when forwarding or relaying messages.

  • Using a Different Sending Domain: Ensure that DKIM signatures correspond to each domain used by your organization for sending emails.

Fixing DKIM Alignment

  • Use a Custom DKIM Signing Domain: Configure third-party senders to sign emails using your domain (e.g., d=example.com).

  • Enable DKIM for All Email Streams: Ensure all outgoing emails are signed, including those sent by marketing platforms.

  • Use DMARC Relaxed Alignment: If necessary, adjust DMARC to use relaxed alignment while you gradually improve configuration.



dmarc



Achieving DMARC Compliance with SPF and DKIM Alignment


For DMARC to pass, an email must pass either:

  • SPF with alignment, or

  • DKIM with alignment, or

  • Both SPF and DKIM with alignment (recommended for maximum security).

Example DMARC Record

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensics@example.com; sp=none; aspf=r; adkim=s;

  • p=quarantine: Instructs recipients to quarantine failing emails.

  • aspf=r: Uses relaxed SPF alignment.

  • adkim=s: Uses strict DKIM alignment.

Properly configuring SPF and DKIM for alignment enhances DMARC's effectiveness, safeguarding your domain against phishing threats.