DKIM alignment checks whether the domain in the DKIM signature (d=) matches the domain in the From header. Relaxed alignment (adkim=r) requires only the organizational domain to match—mail.example.com aligns with example.com. Strict alignment (adkim=s) requires exact domain match. Relaxed is the default and recommended for most setups.
DKIM Alignment in DMARC: Relaxed vs Strict Explained
How DKIM Alignment Works
DMARC doesn't just check if DKIM passes—it checks if DKIM aligns with the From header domain.
The alignment check:
- What domain signed the email? (the d= value in DKIM-Signature)
- Does that match the From header domain?
Without alignment, a valid DKIM signature doesn't prove the From domain authorized the message.
DKIM Signature vs From Domain
Every DKIM-signed email has these two domains:
DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; d=sendgrid.net; s=s1; ...
The d=sendgrid.net is the signing domain.
From header:
From: [email protected]
The From domain is example.com.
In this case:
- DKIM passes (signature is valid)
- DKIM alignment fails (sendgrid.net ≠ example.com)
Relaxed vs Strict Alignment
Relaxed Alignment (adkim=r)
Domains must share the same organizational domain:
| DKIM d= | From Domain | Aligned? |
|---|---|---|
| example.com | example.com | Yes |
| mail.example.com | example.com | Yes |
| example.com | marketing.example.com | Yes |
| sendgrid.net | example.com | No |
Relaxed alignment is the default if you don't specify adkim= in your DMARC record.
Strict Alignment (adkim=s)
Domains must match exactly:
| DKIM d= | From Domain | Aligned? |
|---|---|---|
| example.com | example.com | Yes |
| mail.example.com | example.com | No |
| marketing.example.com | marketing.example.com | Yes |
To enable strict alignment:
v=DMARC1; p=reject; adkim=s; rua=mailto:[email protected]
Practitioner note: I've only recommended strict DKIM alignment twice in hundreds of client engagements—both were financial institutions with specific regulatory requirements. For everyone else, relaxed alignment works fine and avoids subdomain headaches.
Why DKIM Alignment Fails
Cause 1: ESP Signs with Their Domain
By default, some ESPs sign with their own domain:
DKIM-Signature: d=sendgrid.net; ...
From: [email protected]
Fix: Enable custom DKIM signing in your ESP. You add DKIM records to your DNS, and the ESP signs with your domain instead.
Cause 2: Subdomain Mismatch (Strict Mode)
If using strict alignment:
DKIM-Signature: d=mail.example.com; ...
From: [email protected]
This fails strict alignment even though both are under example.com.
Fix: Either use relaxed alignment (recommended) or ensure DKIM signing domain exactly matches From domain.
Cause 3: No DKIM Configured
Email isn't DKIM-signed at all:
Authentication-Results: dkim=none
No signature means nothing to align.
Fix: Configure DKIM signing in your ESP.
Checking Alignment
In Email Headers
Find the DKIM-Signature and From headers:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google; ...
From: [email protected]
Compare d=example.com with [email protected]. Same organizational domain = aligned (relaxed).
In DMARC Reports
Aggregate reports show alignment results:
<policy_evaluated>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
<auth_results>
<dkim>
<domain>example.com</domain>
<result>pass</result>
</dkim>
</auth_results>
If <dkim>pass</dkim> under policy_evaluated, DKIM aligned. If fail, the raw DKIM passed but didn't align with From.
Using DMARC Report Tools
- dmarcian: Shows alignment status per source
- Postmark DMARC: Weekly digest includes alignment results
- EasyDMARC: Visual alignment reporting
Configuring ESP for DKIM Alignment
To achieve alignment, your ESP must sign with your domain (not theirs).
SendGrid
- Settings → Sender Authentication
- Authenticate your domain
- Add CNAME records to your DNS
- SendGrid signs with your domain
Mailgun
- Sending → Domains
- Add your domain
- Add DNS records
- Enable DKIM signing
Google Workspace
- Admin Console → Apps → Gmail
- Authenticate email → Generate new record
- Add TXT record to DNS
- Start authentication
Microsoft 365
- Microsoft 365 Defender
- DKIM settings
- Enable for your domain
- Add CNAME records
After configuration, emails should show:
DKIM-Signature: d=yourdomain.com; ...
When Both SPF and DKIM Fail Alignment
DMARC passes if either SPF or DKIM aligns. If both fail alignment:
| SPF | DKIM | DMARC |
|---|---|---|
| Pass, aligned | Pass, aligned | Pass |
| Pass, aligned | Fail/not aligned | Pass |
| Fail/not aligned | Pass, aligned | Pass |
| Fail/not aligned | Fail/not aligned | Fail |
This is why configuring both properly matters—they back each other up. See the email authentication guide for the complete setup.
Practitioner note: When diagnosing "DMARC is failing," I check alignment before anything else. Nine times out of ten, SPF or DKIM passed but didn't align. The fix is usually enabling custom domain signing in the ESP.
Relaxed vs Strict: The Decision
Use Relaxed (adkim=r) when:
- You send from multiple subdomains
- You use ESPs that sign with your root domain
- You want maximum compatibility
- You have no regulatory requirement for strict
Use Strict (adkim=s) when:
- Security policy requires it
- You only send from exact domain matches
- You've validated all senders use exact domain signing
Recommendation: Start with relaxed. Switch to strict only if you have a specific reason and have validated your entire email ecosystem.
If you're seeing DKIM alignment failures and need help configuring your ESPs for proper domain signing, schedule a consultation.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC)
- RFC 6376: DomainKeys Identified Mail (DKIM)
- dmarcian: DKIM Alignment
- Google: About DKIM
v1.0 · March 2026
Frequently Asked Questions
What is DKIM alignment in DMARC?
DKIM alignment verifies that the domain used in the DKIM signature (d= parameter) matches the domain in the visible From header. Without alignment, DKIM can pass but DMARC still fails because the signature doesn't prove the From domain authorized the sender.
What's the difference between relaxed and strict DKIM alignment?
Relaxed (adkim=r) allows subdomains to align—marketing.example.com signature aligns with example.com From. Strict (adkim=s) requires exact match—marketing.example.com doesn't align with example.com.
Why is DKIM passing but DMARC failing?
The DKIM signature domain (d=) doesn't align with your From domain. Common cause: ESP signs with their domain instead of yours. Configure custom DKIM signing with your domain in the ESP settings.
Should I use relaxed or strict DKIM alignment?
Use relaxed (adkim=r) unless you have specific security requirements. Relaxed handles legitimate subdomain sending patterns. Strict provides marginally more protection but causes problems with subdomains.
How do I check DKIM alignment?
Check email headers: compare 'd=' in DKIM-Signature to the From address domain. Or use DMARC aggregate reports—they show whether DKIM aligned for each sending source.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.