What is DMARC alignment?
Posted on May 29, 2023 by Caleb ‐ 6 min read
Introduction
DMARC is an important email authentication protocol for protecting against domain spoofing. However, it relies heavily on two other protocols to function: SPF and DKIM. Interestingly, an email can pass both SPF and DKIM, but still fail DMARC. How is this possible? This article will explain the concept of alignment and why it is needed.
What SPF Lacks
SPF, which stands for Sender Policy Framework, is an email authentication method. SPF allows a domain owner to publish a list of approved senders for their domain. When an email from their domain is sent, the receiving server can compare the IP address that sent the email to the list of approved senders. For SPF to pass, the IP address that sent the email must be included on that list.
When the receiving server looks up the SPF record, it is important to note which domain it is using. Rather than looking up the domain that is shown in the “From” field of most email clients, the server is looking up the domain found in the “Mail From” address. This domain is not visible in most email clients but is used when mail servers communicate. You may also hear this address referred to as the “Return-Path” or in some cases the “HELO” or “EHLO” address.
This detail is important, because it means that SPF does not protect the “From” field that most users look at when they receive an email. A bad actor could use “example.com” in the “From” field of their email. Even if they send the email using a “Mail From” address of “evildomain.com” they can pass SPF if the list of approved senders included the IP address they are using. Something more is needed…
What DKIM Lacks
DKIM, which stands for DomainKeys Identified Mail, is another email security mechanism. DKIM makes use of public and private keys to provide confidence that an email was sent by the correct party and has not been changed. The server sending an email computes a special hash of the email, then uses a private key to sign the hash. The sending domain publishes their public key in a DNS record. The receiving server locates the public key to view the hash. The receiving server also computes its own hash. By comparing the two hashes the receiving server can identify if anything has been changed in transit.
Like with SPF, it is important to note which domain the receiving server is using when performing a DKIM check. Once again, it is not the domain used in the “From” field that is being checked. When checking DKIM, the receiving server looks at one of the email headers for a tag that starts with “d=”. The domain found in this tag, along with a selector tag, is used to lookup the appropriate public key in DNS.
Although DKIM can provide confidence that an email has not been altered and that it was sent by the domain found in the “d=” tag, it does not protect the “From” field. This means a bad actor could use that same “example.com” in the “From” field of an email, and as long as they have setup DKIM for “evildomain.com”, they can use that domain in the email header to pass DKIM. Again, something more is required…
Alignment
DMARC allows domain owners to effectively protect the “From” field that users most commonly interact with. Neither SPF or DKIM protect the domain found in this field, so how does DMARC do it? This is where the concept of alignment comes in. For an email to pass DMARC, two conditions need to be met.
- SPF or DKIM must pass. Both can pass, but at least one is required.
- The domain used during the check that passed must align with the domain used in the “From” field of the email.
As an example, let’s say SPF passed but DKIM failed. To pass DMARC, the domain that was checked as part of SPF must align with the domain in the “From” field of the email. If the “Mail From” address contained “example.com” and the “From” field contained “bob@example.com”, then SPF is in alignment.
Below are two tables that show various alignment scenarios for SPF and DKIM.
Table 1 (SPF Alignment)
| From | Mail From | Alignment | SPF Result | DMARC Result | Description |
|---|---|---|---|---|---|
| bob@example.com | evildomain.com | NO | PASS | FAIL | Spoofing attempt with SPF setup |
| bob@example.com | evildomain.com | NO | FAIL | FAIL | Spoofing attempt with SPF not setup |
| bob@example.com | example.com | YES | FAIL | FAIL | SPF setup incorrectly |
| bob@example.com | example.com | YES | PASS | PASS | SPF setup correctly |
Table 2 (DKIM Alignment)
| From | d=domain | Alignment | DKIM Result | DMARC Result | Description |
|---|---|---|---|---|---|
| bob@example.com | evildomain.com | NO | PASS | FAIL | Spoofing attempt with DKIM setup |
| bob@example.com | evildomain.com | NO | FAIL | FAIL | Spoofing attempt with DKIM not setup |
| bob@example.com | example.com | YES | FAIL | FAIL | DKIM setup incorrectly |
| bob@example.com | example.com | YES | PASS | PASS | DKIM setup correctly |
Strict vs Relaxed
So far we have not discussed what happens when email is sent from a subdomain. In the case of DKIM, if the domain after “d=” is “example.com”, but the “From” field uses the subdomain “mail.example.com”, would there be alignment? Thankfully, domain owners can determine whether emails like this should pass or fail alignment. A domain owner can specify an alignment mode separately for DKIM and SPF.
There are two optional tag value pairs a domain owner can add to their DMARC record to specify whether an exact match is required. Both tags can have either the value “r” for relaxed, or “s” for strict.
- Tag for DKIM alignment - “adkim=”
- Tag for SPF Alignment - “aspf=”
If the tag is set to “r”, the domains will be in alignment as long as they have the same organizational domain. Relaxed is also the default setting if a tag is not present. If the tag is set to “s”, then there must be an exact match between both Fully Qualified Domain Names for alignment to occur.
Below are two tables to show the outcome of different alignment modes for SPF and DKIM. To simplify the results we will assume SPF and DKIM have been setup correctly.
Table 3 (SPF Alignment Modes)
| From | Mail From | Alignment Mode | Alignment | SPF Result | DMARC Result |
|---|---|---|---|---|---|
| bob@example.com | example.com | adkim=r | YES | PASS | PASS |
| bob@example.com | example.com | adkim=s | YES | PASS | PASS |
| bob@mail.example.com | example.com | adkim=r | YES | PASS | PASS |
| bob@mail.example.com | example.com | adkim=s | NO | PASS | FAIL |
Table 4 (DKIM Alignment Modes)
| From | d=domain | Alignment Mode | Alignment | DKIM Result | DMARC Result |
|---|---|---|---|---|---|
| bob@example.com | example.com | aspf=r | YES | PASS | PASS |
| bob@example.com | example.com | aspf=s | YES | PASS | PASS |
| bob@mail.example.com | example.com | aspf=r | YES | PASS | PASS |
| bob@mail.example.com | example.com | aspf=s | NO | PASS | FAIL |
TL;DR (Summary)
While neither SPF or DKIM authenticate the “From” field that most email users are familiar with, DMARC does. To authenticate this field, DMARC requires alignment between the domain in the “From” field and one of the domains that was used to pass SPF or DKIM. Domain owners can specify how strict the domain matches need to be using the tags “adkim=” for DKIM alignment and “aspf=” for SPF alignment.