When you begin to configure DMARC, there is an important factor that is “alignment”. Alignment forces the domains authenticated by SPF and DKIM to have a relationship between the “header From” domain and “MailFrom” Domain
What is the difference between Header From Domain and MailFrom Domain?
- Header From Domain:
This is the domain portion of the email address that is most commonly visible to end-users in the “From:” field displayed in an email client.
- MailFrom domain.
This identifier is used by the SPF authentication mechanism. It is the domain portion of the email address that is commonly found in the “Return-Path” message header. This is also commonly known as the bounce address.
The DMARC Alignment mechanism will look for SPF alignment and DKIM domain tag in the email header rather than searching directly for “DMARC Alignment” and specified in the DMARC record using the following tags:
What is ASPF?
ASPF stands for “Alignment SPF” ( Sender Policy Framework). This mechanism was introduced in DMARC to validate the Email authentication based on Header From Domain and MailFrom domain. Basically, there are 2 types of alignments.
Relaxed alignment is determined by Header From Domain and MailFrom Domainof header. Relaxed alignment is the default that allows the use of a subdomain and helps in meeting the requirement of domain alignment and it can be specified in DMARC as “aspf=r”. bydefault aspf value set to “r”
Example:
Header From Domain – Example.com
MailFrom Domain – mail.example.com
Strict alignment requires an exact match between the Fully Qualified Domain Name (FQDN) of the user-visible From address and the Return Path (SPF) which means Header From Domain and MailFrom Domain should be the same for proper SPF validation. It can be specified in DMARC as “aspf=s”.
Example:
Header From Domain – Example.com
MailFrom Domain – Example.com
What is ADKIM?
It stands for “Alignment DKIM”(DomainKeys Identified Mail). This mechanism was introduced in DMARC to validate the Email authentication based on the Header From Domain and DKIM signing domain. In this, there are 2 types of alignments.
- Relax Alignment
This alignment type requires the DKIM domain to match the Header From domain. Relaxed alignment is the default. Relaxed alignment allows a subdomain to meet the domain alignment requirement.
Example:
DKIM signing domain:mail.example.com
Header From domain: Example.com
- Strict Alignment
This alignment type requires the DKIM domain to match the Header From domain exactly.
Example:
DKIM signing domain: Example.com
Header From domain: Example.com
According to email marketers like Netcore, Karix, SendGrid, Amazon SES, etc., when configuring custom return path, a subdomain is typically employed as the envelope domain or return path domain for SPF authentication. Configurations performed for following reasons.
- To provide managing email traffic independently.
- Implementing authentication policy independently to prevent exceeded SPF lookup limit of parent domain.
- Handling bounce emails without impacting the primary domain.
If these settings are configured as strict, it will directly affect SPF alignment. Therefore, we suggest configuring the “aspf” and “adkim” tags in the DMARC entry with a value of “relax.” By default, both of these values are set to “relax.”