What Is DKIM Alignment?

What is DKIM Alignment?

DKIM alignment refers to the relationship between the domain in a DKIM signature and the domain visible in the email’s “From” header. It’s a key concept in DMARC authentication, determining whether a message passes DMARC’s DKIM-related checks.

In short: Even if a DKIM signature is valid, it must also align with the “From” domain for the email to be considered trustworthy under DMARC.

There are two possible modes of DKIM alignment:

• Relaxed alignment (adkim=r) – The DKIM signing domain and the “From” domain share the same root (organizational) domain. For example:
  • DKIM domain: mail.example.com
  • From domain: example.com - Passes relaxed alignment

• Strict alignment (adkim=s) – The two domains must match exactly.
  • DKIM domain: mail.example.com
  • From domain: example.com - Fails strict alignment

How DKIM Alignment Works

When a mail server receives an email, it performs the following checks:

1. Verifies the DKIM signature. The receiving server uses the public key in DNS (published under the selector) to confirm that the message was not altered in transit.
2. Compares the DKIM domain to the From header domain.
   • If they match according to the domain alignment mode set in your DMARC record (adkim=r or adkim=s), the message passes DKIM alignment.
   • If not, it fails the alignment test, even if the signature is technically valid.

This mechanism prevents attackers from using a valid DKIM signature from one domain to authenticate a message that claims to be from another.

The Importance of DKIM Alignment

DKIM alignment is essential to DMARC compliance and email trustworthiness. Without alignment, messages can appear legitimate even though they were signed by unrelated domains. Strong alignment:

• Ensures that only authorized senders can use your domain.
• Prevents spoofing, where bad actors forge your brand’s “From” address.
• Improves email deliverability and reputation with mailbox providers.
• Reduces false positives, since authentication results reflect the true source of the message.

Administrators typically begin with relaxed alignment during DMARC monitoring and move to strict alignment once all legitimate senders are properly configured.

DKIM Alignment and DMARCeye

DMARCeye provides clear visibility into DKIM alignment results across all your email sources. In its DMARC reporting dashboard, you can:

• See which senders pass or fail DKIM alignment.
• Identify services using non-aligned subdomains or third-party signing domains.
• Detect configuration issues that prevent messages from meeting your DMARC policy.

DMARCeye helps you gradually tighten alignment from relaxed to strict, ensuring every sender conforms to your authentication standards without disrupting mail flow.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.