DKIM Alignment Explained: Relaxed vs Strict

DKIM alignment determines whether the domain in a DKIM signature matches the domain in the From header. It's a critical concept for DMARC — without alignment, even a passing DKIM check won't satisfy DMARC.

What is DKIM Alignment?

When an email arrives, two domains are checked:

1. DKIM d= domain — The domain in the DKIM-Signature header
2. From header domain — The domain the recipient sees

Alignment means these two domains match (or are related).

Aligned example:

From: user\@example.com
DKIM-Signature: d=example.com; s=selector; ...

Both domains are example.com — aligned.

Unaligned example:

From: user\@example.com
DKIM-Signature: d=sendgrid.net; s=selector; ...

The signing domain (sendgrid.net) doesn't match the From domain (example.com) — not aligned.

Relaxed vs Strict

DMARC lets you choose alignment mode via the adkim tag:

Relaxed Alignment (adkim=r)

The organizational domains must match. Subdomains are allowed.

Relaxed is the default and works for most organizations.

Strict Alignment (adkim=s)

The domains must match exactly. No subdomain flexibility.

Strict is more secure but can break legitimate email flows.

Why Alignment Matters

Without alignment, DMARC cannot use DKIM results:

DMARC check:
  SPF: pass (aligned) → DMARC pass
  DKIM: pass (NOT aligned) → does not count for DMARC

This means an email can have a perfectly valid DKIM signature but still fail DMARC if the signing domain doesn't align with the From domain.

Common Alignment Problems

Third-Party Email Services

When you use services like SendGrid, Mailchimp, or Mailgun, they may sign with their own domain by default:

From: newsletter\@yourdomain.com
DKIM-Signature: d=sendgrid.net  ← Not aligned!

Fix: Configure custom domain signing in your email service. Most providers support this — they'll sign as your domain instead of theirs.

Subdomain Senders

If you send from marketing.example.com but sign as example.com:

• Relaxed: Aligned (organizational domain matches)
• Strict: Not aligned (exact match required)

Multiple Sending Services

Different services may sign with different domains. Ensure each service that sends as your domain also signs as your domain.

Setting DKIM Alignment in DMARC

Control alignment via your DMARC record:

; Relaxed alignment (default)
_dmarc.example.com TXT "v=DMARC1; p=quarantine; adkim=r; rua=mailto:dmarc\@example.com"

; Strict alignment
_dmarc.example.com TXT "v=DMARC1; p=quarantine; adkim=s; rua=mailto:dmarc\@example.com"

If you omit adkim, relaxed is used by default.

Which Should You Use?

Use relaxed (default) if:

• You send from multiple subdomains
• You use third-party services that sign as your root domain
• You're just starting with DMARC

Use strict if:

• You have a single sending domain
• You need maximum security (financial, government)
• All your senders sign with exact domain matches

Checking Alignment in DMARC Reports

DMARC aggregate reports show alignment results:

<auth_results>
  <dkim>
    <domain>example.com</domain>
    <selector>mail</selector>
    <result>pass</result>
  </dkim>
</auth_results>
<policy_evaluated>
  <dkim>pass</dkim>  <!-- This means aligned + valid -->
</policy_evaluated>

If auth_results shows dkim=pass but policy_evaluated shows dkim=fail, you have an alignment problem.

Troubleshooting Alignment Failures

Check your DKIM signature's d= tag:

# In email headers, look for:
DKIM-Signature: ... d=example.com; ...

Compare with the From header:

From: user\@example.com

If they don't match:

1. Configure custom domain signing in your email service
2. Or switch to relaxed alignment in your DMARC record
3. Or send from the domain that matches your DKIM signature

---

Generate DKIM keys for proper alignment with your sending domain.