DMARC Alignment

Alignment is a key concept in the introduction of DMARC; it is the requirement that the domain used for either a passing SPF or DKIM result MUST match the domain of the From header in the email message body.

Though SPF and DKIM are mostly familiar technologies, it’s important to understand that neither SPF or DKIM, on their own, have anything to do with the From address, which is what humans typically see on an email. This is why phishing, spoofing, Shadow IT and other unchecked/misuse of domains run rampant today. There are very few controls that prohibit bad actors from sending an email as you. The primary control to observe and restrict email domain usage is DMARC.

Identifier alignment is at the heart of DMARC. It is what makes the connection between the authentication mechanisms of SPF and DKIM and the enforcement policy for unauthenticated mail as dictated in the DMARC record. Alignment refers to the relationship between the domain in the From Header address and the domains associated with SPF and DKIM authentication checks. Alignment requires that these domains match. Only emails that are aligned can pass DMARC. A mismatch in domains will result in a DMARC fail.

The following examples illustrate the alignment relationship:

The process of aligning your email proves to the outside world that a particular vendor or server has been explicitly authorized to send on your organization’s behalf. The big picture is that once you’ve aligned all of the mail you do want delivered, you can instruct email receivers to discard anything that you haven’t approved. Without alignment, degrees of uncertainty are introduced when an email receiver is attempting to confirm the origin and trustworthiness of a message.

As DMARC is a domain-based control, you will need to individually configure each vendor that sends email on your behalf. To do this, you’ll need to access your organization’s DNS and contact vendors to configure them to send aligned email. Each vendor, or source, as we’ve come to call it at dmarcian, will have a slightly different variation on how to configure alignment; these idiosyncrasies are why it’s important to understand how to identify and organize your sources and have an understanding of vendor management relative to your email ecosystem.

Often, third-party vendors will allow you to onboard their solution without the prerequisites for a DMARC project because they don’t want to introduce barriers to entry for their solution. In turn, many vendors have made email authentication optional, though nearly all of them support it. We’ve cataloged and detailed over 1,000 third-party sources, their capabilities, and instructions on how to configure related settings.

Your ultimate goal is to reach as close to 100% alignment as possible with each of your email vendors and then publish an increasingly restrictive DMARC policy of p=quarantine and p=reject. After fulfilling your alignment goal, follow this guide to understand more about each policy and to minimize the impact on legitimate email.