4 - dmarc domain alignment

DMARC (Domain-based Message Authentication, Reporting and Conformance),
is an email authentication standard, developed to combat spoofed domain mail.

In the chapter “3.1. Identifier Alignment” it says:

   Email authentication technologies authenticate various (and
   disparate) aspects of an individual message.  For example, [DKIM]
   authenticates the domain that affixed a signature to the message,
   while [SPF] can authenticate either the domain that appears in the
   RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
   HELO domain, or both.  These may be different domains, and they are
   typically not visible to the end user.

   DMARC authenticates use of the RFC5322.From domain by requiring that
   it match (be aligned with) an Authenticated Identifier.
   
   -- https://tools.ietf.org/html/rfc7489#section-3.1

It simply means:

   when a sender authenticates their email using SPF and/or DKIM,  
   at least one of the domains must align with the sending From domain

This approach is widely accepted and generally considered
a good practice to identify trusted sender domains.


SpamStop checks the dmarc-default “relaxed” alignment:


Possible results:

  1. both the rules are respected
    the sender domain is fully trusted,
    the message arrives unchanged

  2. only one of the two rules is met
    the ~ (tilde) symbol is added to the subject,
    one of the following explanatory notes is inserted in the message header

    ~ ... subject ...
    X-SpamStop: spf=pass ++domain [NOT] aligned++ - dkim=pass
    
    ~ ... subject ...
    X-SpamStop: spf=pass - dkim=pass ++domain [NOT] aligned++
    
  3. no alignment at all
    the “:: spf-diff ::” and “:: dkim-diff ::” warnings
    are displayed in the subject


Request a free trial