Domain-based Message Authentication Reporting and Conformance or DMARC alignment verifies that an email message’s ‘From’ header domain aligns with the authenticated domain used in the DKIM and SPF protocols. There are two DMARC alignment modes: SPF identifier alignment and DKIM identifier alignment.
Let’s find out how DMARC alignment helps prevent email spoofing and phishing attacks by ensuring that the information in the various authentication mechanisms is consistent.
What is DMARC Alignment?
DMARC alignment refers to the aligning or matching of domains under various sections of senders’ email headers. It ensures that the domains specified in these authentication mechanisms match the email domain claimed in the “From” address of the email.
DMARC checks the ‘From’ header, the Return Path address, and the domain name in the DKIM signature when an email is being validated. If the alignment fails, DMARC policies give instructions to email receivers on handling the non-aligned messages (e.g., mark them as spam or reject them). There are three DMARC policies that you can choose from for your email domains and subdomains: none, quarantine, and reject.
How Does the Process of DMARC Alignment Flow?
DMARC works on the basis of SPF and DKIM results to run authentication checks on emails dispatched from your email domain. So, when a message is sent from your domain, SPF verifies its Return Path and DKIM validates the encrypted signature at the recipient’s end. These checks occur independently and using two different domains.
It’s necessary for a message to pass at least one of the checks to achieve DMARC alignment.
However, there is a minor concern. Basically, anyone on the internet (including malicious actors) can buy a domain and set up SPF and DKIM, which means they can send an email using a domain name that is the same as your organization in the ‘From’ address and have their own domain’s Return Path bypass SPF authentication checks. Since an email receiver typically observes only the “From” address part and not the Return Path, they may remain unaware of any inconsistency between the two.
DMARC Alignment Types
DMARC alignment bolsters email security by establishing a protocol for how emails from a domain should be managed if they don’t pass authentication checks upon delivery. This step enhances not only the safety but also the reliability of email communication, which is an integral part of modern digital interaction. Here are the two types based on the level of security, severity, and feedback details by the server of a recipient:
DMARC Relaxed Alignment
Configuring relaxed alignment for SPF and DKIM means the overall DMARC implementation is also set to relaxed. The SPF relaxed alignment mode allows for a pass if either the “Return-Path” domain (envelope sender) or the “From” header domain aligns with the domain in the SPF record. This means that as long as one of these domains matches, the SPF check passes.
On the other hand, when DKIM is set to relaxed mode, the DKIM signature is considered aligned only when the signing domain and the ‘From’ header domain match. This match is possible with forwarded or modified emails as well.
Overall, the relaxed alignment is lenient and more forgiving, which is why it accommodates legitimate emails that are forwarded or have undergone mail lists that modify the headers.
An email passes DMARC authentication checks in the relaxed mode when a message’s header domain accommodates either of the alignment conditions.
DMARC Strict Alignment
Configuring strict alignment for SPF and DKIM means the overall DMARC implementation is also set to strict.
The strict SPF alignment mode requires an exact match between the domain in the “Return-Path” (envelope sender) and the domain in the “From” header. If there is any difference, the SPF check fails.
In strict alignment for DKIM, the DKIM signature must have an exact match with the “From” header domain. Any discrepancy results in a failed DKIM alignment.
Strict alignment provides a higher level of security by requiring precise matches, and it is suitable for organizations that want to minimize the risk of domain spoofing.
DMARC Relaxed Vs Strict Alignment- Which Mode is Better?
The answer to this depends on the email infrastructure and the size of your organization. Another factor to consider is how many false positives your business model can tolerate without experiencing a major impact.
Imagine an online store that sends a lot of emails. For regular marketing emails, it’s not a very big deal if some of the messages undergo false positives and get mistakenly marked as spam. But it’s a different story when it comes to emails from the customer service team, like answering questions about orders or refunds.
For instance, if a customer asks about their order’s shipping status and the reply accidentally ends up in the spam folder or bounces back, the customer might think the company isn’t responding. This can hurt the company’s reputation because customers expect reliable communication. So, managing these situations is crucial for any company’s image and effectiveness.
That’s why there’s no fixed answer to ‘which is the better alignment mode’- at the end of the day, it’s your operation style and domain’s maturity that help you take the call.
The relaxed mode is more flexible and produces fewer false positives, making it a suitable choice for organizations with multiple email systems or services sending emails on their behalf. However, its lenient nature allows some of the spoofing and phishing emails to bypass the authentication filter at recipients’ ends.
On the flip side, the strict model allows only those messages to pass the authentication checks whose domain in the ‘From’ header exactly matches the one mentioned in SPF and DKIM. The strictness prevents phishing and spoofing attacks to a great extent, and in an attempt to do that, many genuine emails are falsely tagged as illegitimate. That’s why the person or team in charge of SPF, DKIM, and DMARC has to be extra attentive with configurations, evaluations, and updates.
Impact of Email Forwarding on DMARC Alignment
Email forwarding is a common practice; however, it stands as a challenge for DMARC alignment because the ‘From’ header gets changed to the forwarding server’s address, and new elements are added to the email content. As a result, there are SPF and DKIM alignment failures since the original ‘Mail From’ domain identity doesn’t match the modified bounce address, and the message content is altered.
Final Words
It becomes easier to make informed and strategical adjustments to SPF, DKIM, and DMARC and their alignment modes when the team regularly and frequently monitors DMARC reports. It’s suggested to start with the relaxed alignment mode and shift to the strict mode when the number of false positives becomes null or minimal.