Skip to main content
All CollectionsEmail Authentication FundamentalsDMARC: The Gatekeeper
DKIM and SPF alignment: what it is, why it matters and how to fix it
DKIM and SPF alignment: what it is, why it matters and how to fix it
Updated over a year ago

In order to be able to explain how alignment works and how it can be achieved, we first need to explain what it is:

DMARC Alignment

Neither SPF nor DKIM authenticates the sender using the “From:” field that users see. The policy specified in a DMARC record will require that the DKIM key’s domain (or the domain shown in the Return-Path verified by SPF) matches the domain shown in the “From:” address. This ensures that the visible From: address contains an authenticated domain, and it is also known as “alignment.”

Below we will explain what SPF/DKIM alignment means in detail:

SPF Alignment

In order for an email to be considered SPF aligned, the organizational domain in the Return-Path of the email (Also known as the EnvelopeFrom or RFC5321.MailFrom) must match the organizational domain in the user-visible From address (also known as the RFC5322.From).

Examples:

An email is sent with a From address of [email protected]. and the Return-Path is [email protected]. In this case, the email is considered to be SPF aligned.

An email is sent with a From address of [email protected]. and the Return Path is [email protected]. In this case, the email is not aligned

a screenshot of a computer

DKIM Alignment

In order for an email to be considered DKIM aligned, the authenticated signing domain of at least one of the DKIM keys in the email headers must match the user-visible From address of the email ( also known as the RFC5322.From ).

Examples:

An email is sent with a From address of [email protected]. There are two DKIM keys associated with the email. One authenticated signing domain is acme.com and the other is example.com. This email is considered to be DKIM aligned.

An email is sent with a From address of [email protected]. There are two DKIM keys associated with the email. One authenticated signing domain is acme.com and the other is badexample.com. This email is not considered to be DKIM aligned.

Why it matters:

As phishing attacks evolve, so should our defenses against them. DMARC alignment keeps hackers at bay since SPF and DKIM authentication is not sufficient on its own.

How to fix it:

Third-party senders/vendors (Mailgun, Marketo, Sparkpost, etc.) normally will use their own domain name for SPF and DKIM authentication.

Valimail Authenticate will allow you to configure these 3rd party senders to use your own domain name by publishing an SPF record or DKIM key specifically created for each of the vendors.

The majority of the vendors support either SPF alignment, DKIM alignment or both, depending on their infrastructure.

Valimail Authenticate has a huge database of senders and we already know if a sender supports SPF, DKIM, or both.

You will have clear instructions in the Valimail Platform for adding a new sender to your configuration.

Did this answer your question?