What’s breaking your DKIM? It might be RFC 5322

by | Sep 25, 2025 | DMARC

breaking your DKIM

What’s breaking your DKIM? It might be RFC 5322

by DuoCircle

 

When DKIM is not properly aligned for your domain, your outgoing emails may be at risk of tampering. That means anyone can make unauthorized changes to your email while it’s on the way to the receiver’s inbox, and the recipient might never even know it was altered. 

Now, there can be many reasons that DKIM could fail, despite properly configuring the public and private keys, and one of those reasons is RFC 5322 alignment. 

As you know, every email has a ‘From’ address (the one that the recipient sees). So, according to RFC 5322 (a standard that governs email’s structure), the ‘From’ address needs to match the domain used in your DKIM signature. If the two domains don’t match, DKIM fails, even if the message wasn’t actually tampered with.

That’s why it’s not enough to just have DKIM set up. You also need to make sure the domain in your ‘From’ address is properly aligned with y our DKIM signature.

It’s that technical aspect of DKIM that most teams get wrong. In this article, we’ll understand why this alignment matters and how to fix this issue.

 

fix this issue

 

What is RFC 5322?

RFC 5322 is a standard that tells email systems how to format email headers, including things like the ‘From’ address. 

This standard has been around since October 2008, and matters even today, regardless of the kind of email you send. Whether it is a newsletter, a transaction alert, or a simple message from a friend, the email’s structure is shaped by RFC 5322.

Now with email authentication in the picture, things get a bit more serious.

Protocols like DKIM and DMARC use the ‘From’ address defined by RFC 5322 to check if an email is really coming from who it claims to be. If that address doesn’t match the domain used in the DKIM signature, the email can fail authentication, even if everything else looks fine.

And without this alignment requirement, attackers could use valid SPF or DKIM records from one domain but spoof a completely different ‘From’ address, fooling both the system and your clients receiving the email.

Now that we know what RFC 5322 is, let’s understand what it has to do with DKIM alignment.

 

attackers

 

Why do RFC 5322 alignment and DKIM alignment matter?

Your DKIM authentication is incomplete unless you top it up with DMARC. For DMARC to align, your domain in the DKIM signature should match the domain in your ‘From’ address, as defined by RFC 5322. That’s essentially what DKIM alignment is all about.

If the two domains don’t match, DMARC will eventually fail. That means your email could be marked as suspicious, land in spam, or get blocked entirely. It’s not just about authentication anymore; it’s about credibility and consistency across your email infrastructure.

This becomes all the more important if you use third-party platforms to send emails on your behalf. If those platforms don’t sign your messages using your domain or if they use a subdomain that doesn’t align with your ‘From’ address, DMARC won’t trust your emails.

 

How to spot RFC 5322 alignment failures?

Identifying RFC 5322 alignment issues is the first step to fixing them. The good news is, it isn’t as complicated as it seems. 

 

RFC 5322 Alignment Failures

 

All you have to do is start by checking your DMARC reports. These reports will tell you which of your messages have passed or failed DKIM and SPF checks. Here, you have to look for entries that say ‘DKIM alignment failed.’ This means the domain in your DKIM signature doesn’t match the domain in the ‘From’ address.

Next, you’ll want to take a quick look at your DKIM records. For this, you can either use a DKIM checker tool online or use a simple ‘dig’ command to verify your DNS settings. This helps you confirm whether your DKIM record is published properly and whether the d= value in your DKIM signature matches your sending domain.

Even the slightest variation will lead to DMARC authentication failure. 

 

How to fix the DKIM-RFC 5322 misalignment issue?

 

Ensure the DKIM and ‘From’ domains match

To rectify the alignment issue, you must check that the domain used in your DKIM signature (d=) is the same as the one in your ‘From’ address. This is the easiest way to ensure alignment, especially if you’re sending emails directly from your own domain.

 

send emails

 

Choose the right alignment mode

Next, configure the alignment mode in your DMARC policy based on how you send emails. If you use subdomains or send emails through other services, relaxed alignment (adkim=r) is usually safer and helps avoid failures. If all your emails come from the same domain, you can use strict alignment (adkim=s). Pick the one that fits your setup best.

 

Keep the ‘From’ address the same as the original

Sometimes, when you forward an email, the ‘From’ address gets changed. That can break DKIM alignment. To avoid this, make sure your setup keeps the original ‘From’ address. If email forwarding is unavoidable, consider enabling ARC (Authenticated Received Chain) to help preserve authentication even after changes.

Still not sure why you’re facing RFC 5322 alignment issues? Contact DuoCircle to leverage DMARC Reports to identify authentication issues and keep your email ecosystem safe easily

Pin It on Pinterest

Share This