By themselves, SPF and DKIM can associate a piece of email with a domain. DMARC attempts to tie the results of SPF and DKIM to the content of email, specifically to the domain found in the From: header of an email. The domain found in the From: header of a piece of email is the entity that ties together all DMARC processing.

Because anyone can buy a domain and put SPF and DKIM into place (including criminals), the results of processing SPF and DKIM have to be related to the domain found in the From: header to be relevant to DMARC. This concept is referred to as Identifier Alignment.

Identifier Alignment is how existing email authentication technologies are made relevant to the content of an email. Getting identifiers to align ends up being a large part of the work of deploying DMARC.

Are your SPF and DKIM identifiers aligned?

When your email is sent, the “From domain” has your domain name after the @ within the email address. Your DKIM signature should also contain the same domain name embedded into the key string. If they match, then they are aligned. Having the SPF and the DKIM align means your email will pass DMARC verification.

How DMARC Alignment works with SPF and DKIM in the From: header

Configuring third-party sources

Third-party sources (eg. SendGrid, Amazon SES, Salesforce, etc.) often use their domain name space to get SPF and DKIM to pass. Configuring these third-party sources to use your own domain name space will bring about alignment. Each third-party source has varying capabilities in this area. dmarcian has cataloged and detailed over 900 third-party sources, their capabilities, and instructions on how to configure related settings.