Understanding Alignment

The Problem

Email authentication protocols like SPF and DKIM verify that an email was sent from an authorized source. However, these protocols alone do not ensure that the email's "From:" header (the address visible to users) is aligned with the authenticated domain.
This issue arrises because frustratingly SPF and DKIM can authenticate different domains than the "From:" header.
  • SPF: SPF authenticates the domain in the Return-Path (envelope sender) header, which can differ from the "From:" header.
  • DKIM: DKIM authenticates the domain specified in the d= tag of the DKIM signature, which can also differ from the "From:" header.

DMARC and Alignment

DMARC builds on SPF and DKIM by adding the concept of alignment. For an email to pass DMARC, at least one of the following must be true:
  1. SPF Alignment: The domain in the Return-Path header must match (or be a subdomain of) the "From:" header domain.
  2. DKIM Alignment: The domain in the DKIM signature's d= tag must match (or be a subdomain of) the "From:" header domain.