In order to be able to explain how alignment works and how it can be achieved, we first need to explain what it is:

Neither SPF nor DKIM authenticates the sender using the “From:” field that users see. The policy specified in a DMARC record will require that the DKIM key’s domain (or the domain shown in the Return-Path verified by SPF) matches the domain shown in the “From:” address. This ensures that the visible From: address contains an authenticated domain, and it is also known as “alignment.”

Below we will explain what SPF/DKIM alignment means in detail:

In order for an email to be considered SPF aligned, the organizational domain in the Return-Path of the email (Also known as the EnvelopeFrom or RFC5321.MailFrom) must match the organizational domain in the user-visible From address (also known as the RFC5322.From).

Examples:

An email is sent with a From address of [email protected]. and the Return-Path is [email protected]. In this case, the email is considered to be SPF aligned.

An email is sent with a From address of [email protected]. and the Return Path is [email protected]. In this case, the email is not aligned

In order for an email to be considered DKIM aligned, the authenticated signing domain of at least one of the DKIM keys in the email headers must match the user-visible From address of the email ( also known as the RFC5322.From ).

Examples:

An email is sent with a From address of [email protected]. There are two DKIM keys associated with the email. One authenticated signing domain is acme.com and the other is example.com. This email is considered to be DKIM aligned.

An email is sent with a From address of [email protected]. There are two DKIM keys associated with the email. One authenticated signing domain is acme.com and the other is badexample.com. This email is not considered to be DKIM aligned.

As phishing attacks evolve, so should our defenses against them. DMARC alignment keeps hackers at bay since SPF and DKIM authentication is not sufficient on its own.

When alignment is not properly configured, the sender (e.g., Mailgun, Marketo, Sparkpost, etc.) will normally use its own domain name for SPF and DKIM authentication. Each sender has a set of instructions to follow for setting up SPF and/or DKIM alignment. You can check the sender's own knowledge base to find these instructions, or look for the sender's article in the Email Service Providers section on support.valimail.com.

Valimail Enforce allows you to configure these 3rd party senders to use your own domain name by publishing an SPF record or DKIM key specifically created for each of the vendors. Valimail Enforce has a large database of senders, and in most cases, we recognize if one supports SPF or DKIM alignment, or both.