How does DKIM alignment affect overall DMARC compliance?

DMARC is based on SPF and DKIM results. For an email to pass the DMARC checks, it has to pass at least one of the protocols and have alignment with the domain in the ‘From’ header. 

DKIM alignment happens when the domain used in the DKIM signature (d= domain) matches the domain in the ‘From’ address of the email. When an email is signed with DKIM, the sender adds a digital signature that includes a domain (d=), which is used to verify the email’s authenticity.

Example-

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=example.com; s=selector1; h=from:subject:date;

In the above example, d=example.com is the domain signing the email.

Types of DKIM alignment

The two types of DKIM alignment are- relaxed (default) and strict.

Relaxed alignment

If you have set your DKIM record to the relaxed alignment, then the DKIM domain (d=) must share the same organizational domain as the one in the ‘From’ domain.

Let’s say the ‘From’ address is user@example.com, and the DKIM signature domain is mail.example.com, then the relaxed alignment will pass.

Strict alignment

If your DKIM record is set to the strict alignment, the DKIM domain (d=) must be an exact match to the ‘From’ domain.

If the ‘From’ address is user@example.com and the DKIM signature domain is mail.example.com, then the strict alignment will fail. But if the DKIM signature domain is example.com, the strict alignment will pass.

Impact of DKIM alignment on DMARC compliance

When an email sent from your domain passes the DKIM authentication and is aligned, it passes DMARC even if SPF fails or lacks alignment. This helps emails sent on your behalf through third-party services to pass the DMARC. If these services sign emails with their own DKIM keys (d=thirdparty.com), then DKIM alignment will fail unless you have explicitly configured them to use the sender’s domain (d=example.com). SPF alignment might also fail if the email is sent from the third-party’s mail server.

Also, if your organization’s email infrastructure includes multiple and intricate servers, then DKIM alignment ensures unhampered delivery.

However, if DKIM alignment and SPF authentication fail for an email, it will not pass DMARC at all. Such an email will either be marked as spam or get rejected by the recipient’s mailbox.

Best practices for ensuring DKIM alignment

• Whenever you use third-party services to send emails, configure them to use d=example.com instead of d=thirdparty.com.
• Use relaxed DKIM alignment if you have just implemented DKIM for your domain. This allows subdomains to align and prevent unnecessary failures.
• Choose to receive DMARC aggregate reports as they give insights into email authentication activities, including misalignment issues. 
• Consider DKIM over SPF for alignment because the former is more resilient and efficient as it doesn’t rely on IP addresses. IP addresses can change if the range is dynamic or you/someone forwards emails. 

We at DuoCircle can help you start or manage your email authentication journey. Contact us for our expert guidance and result-driven services.