What is DMARC Alignment and Why Is it Important?

Though SPF and DKIM are mostly familiar technologies, it’s important to understand that neither SPF or DKIM, on their own, have anything to do with the “from address.” This is why phishing, spoofing, Shadow IT and other unchecked/misuse of domains run rampant today. There are very few controls that prohibit bad actors from sending an email as you. The primary control to observe and restrict email domain usage is DMARC.

Alignment is at the heart of DMARC; without a firm understanding of it, you may fall victim to a stalled-out project or inadvertently and unknowingly block legitimate email. We have a number of articles, videos, and reporting modules in our application that will help you. You’ve come to the right place!

In its simplest explanation, alignment refers to the relationship between what humans see in the “from” address and what the inbound machinery reads from the header portion of the email when checking domains in the DKIM and SPF record. Alignment requires that the “from” domain match either of the domains used in DKIM or SPF. Only emails that are aligned can pass DMARC.

The following examples illustrate the alignment relationship:

Chart of passing DMARC alignment
Chart of failed DMARC alignment

Are Your SPF and DKIM Identifiers Aligned?

The process of aligning your email proves to the outside world that a particular vendor or server has been explicitly authorized to send on your organization’s behalf. The big picture is that once you’ve aligned all of the mail you do want delivered, you can instruct email receivers to discard anything that you haven’t approved. Without alignment, degrees of uncertainty are introduced when an email receiver is attempting to confirm the origin and trustworthiness of a message.

As DMARC is a domain-based control, you will need to individually configure each vendor that sends email on your behalf. To do this, you’ll need to access your organization’s DNS and contact vendors to configure them to send aligned email. Each vendor, or source, as we’ve come to call it at dmarcian, will have a slightly different variation on how to configure alignment; these idiosyncrasies are why it’s important to understand how to identify and organize your sources and have an understanding of vendor management relative to your email ecosystem.

Often, third-party vendors will allow you to onboard their solution without the prerequisites for a DMARC project because they don’t want to introduce barriers to entry for their solution. In turn, many vendors have made email authentication optional, though nearly all of them support it. We’ve cataloged and detailed over 1,000 third-party sources, their capabilities, and instructions on how to configure related settings.

Your ultimate goal is to reach as close to 100% alignment as possible with each of your email vendors and then publish an increasingly restrictive DMARC policy of p=quarantine and p=reject. After fulfilling your alignment goal, follow this guide to understand more about each policy and to minimize the impact on legitimate email.

We’re Here to Help

With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul. Get in touch with us or give our DMARC Management Platform a complimentary test run. Our onboarding and support team will help you along the way.

Learn More

How to Create and Add an SPF Record
Video: SPF Overview
DKIM Records: How to Create and Add to Your DNS
DKIM Selectors
Video: DKIM Overview