Home/ Glossary/ DKIM Alignment

DKIM Alignment (DKIM Alignment)

Security Glossary - Email Authentication

Definition: DKIM alignment means the domain used in the DKIM signature (the d= field) matches the domain in the email's From header. DMARC requires either SPF alignment or DKIM alignment to pass. Strict alignment requires an exact domain match, while relaxed alignment allows subdomains to match the parent domain.

Why You Should Care About DKIM Alignment

DKIM alignment is half of the DMARC authentication check. DMARC passes if either SPF or DKIM is aligned with the From header domain. DKIM alignment specifically means the domain that signed the message (DKIM d= tag) matches the domain the user sees in the From header.

Relaxed alignment (the default) allows a subdomain to align with the parent. If your email is from user@example.com and DKIM signs with d=mail.example.com, relaxed alignment considers this a match. Strict alignment requires an exact match - d=example.com must match example.com.

Alignment failures are a common cause of DMARC failures for otherwise authenticated email. This happens when an email service signs with its own domain (d=sendgrid.net) instead of yours (d=yourdomain.com). Most email services support custom DKIM signing domains - configure this to align DKIM with your From domain.

Checking Your Setup

A DNS health checker verifies DKIM records and evaluates alignment potential. Send test emails and check the Authentication-Results header for dkim=pass and dmarc=pass with alignment. If DKIM passes but DMARC fails, you likely have an alignment problem.

Check DNS Health

Questions and Answers

What is the difference between relaxed and strict alignment?
Relaxed alignment allows a subdomain match (mail.example.com aligns with example.com). Strict alignment requires an exact match. Most domains use relaxed alignment (the DMARC default) because it is more forgiving while still preventing cross-domain spoofing.
How do I fix DKIM alignment failures?
Configure your email service to sign with your domain (d=yourdomain.com) rather than theirs. Most providers support custom DKIM domains through their admin panel. After configuration, publish the provider's DKIM public key in your DNS.

Learn More

DomainKeys Identified Mail Domain-based Message Authentication, Reporting and Conformance SPF Alignment DKIM Selector Email Deliverability
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.