By themselves, SPF and DKIM can associate a piece of email with a domain. DMARC attempts to tie the results of SPF and DKIM to the content of email: specifically to domain found in the From:header of an email. The domain found in the From: header of a piece of email is the entity that ties together all DMARC processing.

Because anyone can buy a domain and put SPF and DKIM into place (including criminals), the results of processing SPF and DKIM have to be related to the domain found in the From:header to be relevant to DMARC. This concept is referred to as “Identifier Alignment”.

Identifier Alignment is how existing email authentication technologies are made relevant to the content of an email. Getting identifiers to align ends up being a large part of the work of deploying DMARC.

Is your SPF and DKIM aligned?

When your email is sent, the ‘From domain’ has your domain name after the @within the email address. Your DKIM signature should also contain the same domain name embedded into the key string. If they match then they are aligned. Having the SPF and the DKIM align means your email will pass DMARC verification.