Following the ads from Google and Yahoo reinforce authentication checks on senders sending more than 5,000 emails a day, DMARC (via domain alignment) is becoming a must-have standard... And the numerous alerts and articles that are springing up all over the place on various blogs/social networks won't tell me otherwise! We've even made a Youtube Live on the subject :p
In addition to meeting to the demands of Google and YahooCompanies should be focusing on securing their domains and sub-domains. Unfortunately, during my audits, I still make far too many recommendations on the settings and implementation of authentication (be it SPF, DKIM see DMARC). So it's hardly surprising that ISPs and Webmails are tightening up their filtering rules to further secure and filter e-mails received by their users!
Implement DMARC is great! But behind this implementation, there's a real strategy to be put in place for authentication. SPF and DKIM but also on domain alignment. In this article, I'll show you the importance of aligning your domains with DMARC in order to make them more secure, to be better perceived by your users (at least the most seasoned ones) and also to avoid the Google / Yahoo headache, at least if their ads give you the creeps...
What is domain alignment with DMARC?
DMARC compliance reminder
The rule is simple for DMARC to apply: For comply with DMARCan e-mail must have at least its SPF registration valid and aligned or its DKIM record valid and aligned with the domain used as the sender. By alignment, we mean that the domain signed with SPF or DKIM corresponds to the sender domain! It can be identical or part of the same tree. But DMARC goes even further in domain protection, allowing 2 alignment modes to be applied to SPF and DKIMrelaxed" or "strict".
Relaxed" or "flexible" alignment
The "relaxed" alignment is the default alignment proposed if no alignment is specifically declared in theDMARC registration. The management of this alignment is different between SPF and DKIM Since the checks will not be carried out in the same place, here are the different possible scenarios:
Authentication | Declaration | Relaxed / Souple alignment |
---|---|---|
SPF | aspf=r or no attribute | The MailFrom * domain must be identical or be a domain/subdomain of the sending domain. |
DKIM | adkim=r or no attribute | The domain signed with DKIM (field d=) must be identical or be a domain / sub-domain of the sending domain. |
* The MailFrom domain is also known as the envelope sender or return path. It is on this domain that SPF will be signed, unlike DKIM, which will be verified on the From domain (or Header From domain).
All in all, this alignment mode offers real flexibility when it comes to configuring authentication, particularly for SPF, where some routers require delegation of a specific sub-domain for MailFrom domain configuration.
Strict" alignment
Strict" alignment is the safest alignment for a configuration. To be active, it must be clearly specified in theDMARC registration.
Strict" alignment management differs between SPF and DKIM Since the checks will not be carried out in the same place, here are the different possible scenarios:
Authentication | Declaration | Relaxed / Souple alignment |
---|---|---|
SPF | aspf=s | The MailFrom domain must be identical to the sender domain. |
DKIM | adkim=s | The domain signed with DKIM (field d=) must be identical to the sender domain. |
This "strict" alignment is ideal for really securing your domain name or even your router configuration (as long as all domains are identical - as with Engage (cf. Marigold / ex-Selligent)).
Some examples of alignment and their results with SPF
Here are the different configurations that can be found with SPF alignments:
From domain | MailFrom / Envelope domain | Flexible alignment | Strict alignment |
---|---|---|---|
badsender.com | badsender.com | Yes | Yes |
emailing.badsender.com | emailing.badsender.com | Yes | Yes |
badsender.com | emailing.badsender.com | Yes | No |
emailing.badsender.com | badsender.com | Yes | No |
emailing.badsender.com | contact.badsender.com | Yes | No |
badsender.com | badsender.fr | No | No |
badsender.com | bf1.hubspot.com | No | No |
We finally realize that only the last 2 examples would trigger the DMARC security policy, as the domains used in From (badsender.com) / MailFrom (or Envelope Sender) (badsender.fr / bf1.hubspot.com) are totally different.
Some examples of DKIM alignment and results
Here are the different configurations that can be found with DKIM alignments:
From domain | Signed domain (d=) | Result Alignment | Flexible | Strict |
---|---|---|---|---|
badsender.com | badsender.com | Aligned | Yes | Yes |
emailing.badsender.com | emailing.badsender.com | Aligned | Yes | Yes |
badsender.com | emailing.badsender.com | Aligned | Yes | No |
emailing.badsender.com | badsender.com | Aligned | Yes | No |
emailing.badsender.com | contact.badsender.com | Aligned | Yes | No |
badsender.com | badsender.fr | Not aligned | No | No |
badsender.com | bf1.hubspot.com | Not aligned | No | No |
We finally realize that only the last 2 examples would trigger the DMARC security policy, as the domains used and signed with DKIM (badsender.fr and bf1.hubspot.com) are totally different from the sending domain (badsender.com).
What strategy should you adopt to align your domains?
Please note that DMARC works on an "inheritance" basis, i.e. if your DMARC record is published on your main domain, sub-domains will inherit the same record (unless they have their own DMARC registration).
Before asking yourself what type of alignment to adopt, start by carrying out a complete audit of all the domains you use (main domains and sub-domains), to find out what settings are in place and what platforms you use. This will make it easier for you to know which strategy to adopt: DMARC management by inheritance (which may not be so simple in the end if you have a lot of sub-domains to manage with different usage strategies) or by sender domain (which can be time-consuming but offers greater flexibility if you wish to manage different security policies or different alignments between your sub-domains).
In the 3 scenarios below, we're going to use DMARC management per sender domain. This will be useful if you use many sub-domains on different platforms.
Case study n°1: The Must Have! Apply a "Strict" alignment
With this configuration in STRICT alignment (reminder : aspf=s
and adkim=s
), your e-mail flows will be as secure as possible. On the other hand, as far as domain settings are concerned, the domain signed with SPF and the domain signed with DKIM must be exactly the same as the sending domain. So make sure everything's ok before you get involved 😉
Personally, this is the option I recommend, as long as you use one sender domain for one tool (you avoid sharing a domain across several routing platforms).
Case study 2: The Nice to Have! Alternating "Relaxed" and "Strict" alignments
With this intermediate configuration (which I'm seeing more and more), we opt for a "relaxed" alignment with SPF (aspf=r
) and "strict" alignment with DKIM (adkim=s
). It's good here when you're on shared IP(s) (since you'll generally be using a generic router domain as the MailFrom domain) and you sign the sender domain with the router's DKIM key.
It's a good compromise when you're not using dedicated IP(s)!
Case study 3: The default configuration! Apply a "Released" alignment
If you don't want to bother with domain alignment, opt for the default configuration (which is "relaxed" for SPF and DKIM). Here, you don't even need to declare them in your registration, so this will be the default. Make sure, however, that DKIM is signed with the sending domain or a domain in the same tree to validate DMARC, otherwise the rule defined in "p" (or "sp") will apply.
DMARC configuration and alignment examples
I have analyzed and listed below 3 newsletters received in my personal mailbox:
Example 1: Qonto
- From domain :
qonto.com
- SPF domain :
cio35236.qonto.com
'' SPF valid with flexible alignment - DKIM domain :
cio35236.qonto.com
'' DKIM valid with flexible alignment - Dmarc record:
v=DMARC1; p=reject; rua=mailto:dmarc_agg@vali.email
For the Qonto e-mail, the DMARC security rule will not apply since SPF and DKIM are valid and aligned with the sender's domain 🙂
Example 2: Chilowé
- From domain :
chilowe.com
- SPF domain :
mail221.atl61.mcsv.net
'' SPF valid but not aligned with From domain - DKIM domain :
chilowe.com
'' DKIM valid with Strict alignment - DMARC domain :
v=DMARC1; p=none
For Chilowe's e-mail, the DMARC security rule won't apply since DKIM is valid and aligned with the sender's domain 🙂 Too bad DMARC reports aren't tracked, though!
Example 3: NFL International
- From domain :
e.nfluk.com
- SPF domain :
e.nfluk.com
'' Valid SPF with Strict alignment - DKIM domain :
e.nfluk.com
'' DKIM valid with Strict alignment - DMARC domain : No DMARC record!
For the NFL International e-mail, even if SPF and DKIM are valid and aligned with the sender's domain, the fact that no DMARC record is present on the domain is likely to titillate Google and Yahoo next February... Unless they fix it before then 😉
To conclude on domain alignment with DMARC
In my opinion, there is no difficulty in aligning at least one of these domains with DMARC (the easiest being DKIM if your routing platform provides you with a key of course - which is not yet the case with some platforms in 2023 and even 2024 now!). But as I often say... One is good, but 2 is better!
Small disclamer Don't forget that an unprotected domain is a vulnerable domain (and therefore an easy target for hackers), so whether you're using a new platform or migrating to one, remember to set your default e-mail authentication settings: SPFDKIM and DMARC.
– – – – –
To find out more about SPF, DKIM and DMARC configurations, please see our dedicated articles :
— What is SPF? Configuration, verification and monitoring
— What is DKIM? Configuration, verification and monitoring
— DMARC: Why and how to deploy it?