DKIM alignment is the DMARC rule that the d= signing domain in the DKIM-Signature header must match (or share an organizational domain with) the domain in the From: header. Relaxed alignment (the default) accepts organizational-domain matches (mail.acme.com aligns with acme.com). Strict alignment requires exact domain match. Without alignment, even a passing DKIM signature does not satisfy DMARC.
DKIM Alignment Explained: How DMARC Uses It
DKIM alignment is the rule that catches most senders off guard the first time they set up DMARC. They configure DKIM, see "dkim=pass" in the Authentication-Results header, then watch DMARC fail anyway. The reason is almost always alignment: DKIM signed the message, but with the wrong domain.
This guide explains exactly how DKIM alignment works, when relaxed vs strict matters, and how to fix the most common alignment failures.
What alignment actually means
DKIM authentication is one question: did the message arrive with a valid signature whose public key DNS lookup succeeds? If yes, DKIM passes.
DMARC alignment is a separate question: does the domain that signed the message match the domain in the visible From: header?
The two are independent. A message can have a perfectly valid DKIM signature that is not aligned. From the receiver's perspective, "valid signature from a third party" doesn't prove the From: identity isn't spoofed.
Concrete example. A message:
- From:
[email protected] - DKIM-Signature:
d=esp.sendgrid.net; s=s1; ...
DKIM passes (the signature is cryptographically valid). DKIM alignment fails (the signing domain is sendgrid.net, not acme.com). DMARC therefore cannot pass via the DKIM path.
Relaxed vs strict alignment
DMARC defines two alignment modes for DKIM, controlled by the adkim tag in the DMARC record:
| Mode | adkim value | Rule | Example |
|---|---|---|---|
| Relaxed | r (default) | Organizational domain must match | d=mail.acme.com aligns with From: [email protected] |
| Strict | s | Exact domain match required | d=mail.acme.com aligns only with From: [email protected] |
Relaxed alignment uses the Public Suffix List to determine the organizational domain. Anything under the same registrable domain (acme.com) aligns regardless of subdomain.
Strict alignment is rare. Use it only if you have a specific compliance reason — most operational DKIM setups use relaxed.
The same modes apply to SPF alignment via the aspf tag. DMARC passes if either SPF or DKIM aligns; you do not need both.
Practitioner note: I default new DMARC records to
adkim=r; aspf=r(relaxed for both). The exceptions are sufficiently rare that I'd rather decide explicitly to tighten than discover later that strict alignment broke a legitimate sender's mail.
How to verify alignment
Look at the message headers of a delivered message. Two key fields:
From: [email protected]
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=marketing-202605;
spf=pass smtp.mailfrom=bounces.example.com
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
The Authentication-Results header tells you both DKIM result and the d= domain used (the [email protected] line). Compare it to the From: header organizational domain.
You can also use Mailhardener, Dmarcian, or Postmark's DMARC monitoring to see alignment statistics rolled up across all senders.
Common alignment failures
ESP signs with its own domain. The fix is to enable sender authentication / branded sending on the ESP. Each ESP names this differently:
| ESP | Setting name |
|---|---|
| SendGrid | Sender Authentication (Domain Authentication) |
| Mailgun | Domain verification with DKIM |
| Klaviyo | Dedicated Sending Domain |
| Mailchimp | Domain authentication |
| HubSpot | Email sending domain |
| Constant Contact | Self-Authentication |
Until you complete sender authentication on the ESP, DKIM will sign with the ESP's domain and alignment will fail.
On-prem Exchange signs with the wrong domain. Configure the Exchange DKIM agent per accepted domain. Don't share one selector across multiple sending domains.
Email service forwards messages and breaks alignment. Mailing lists and forwarding services frequently break alignment by rewriting headers or adding to body. ARC (Authenticated Received Chain) was designed for this case — see ARC sealing explained.
Subdomain From: but root-domain signing. With relaxed alignment, this works fine (mail.acme.com From aligns with acme.com signing). With strict alignment, it fails. If you've set adkim=s and use subdomains for sending, switch to relaxed.
Practitioner note: Half the alignment failures I see during audits are ESPs that completed "domain verification" but never finished branded sending. The DKIM record exists in DNS, but the ESP is still signing with its default domain. Verify by sending a real message and reading the actual DKIM-Signature header — don't trust the ESP's UI.
Alignment for DMARC pass logic
DMARC passes if at least one of:
- SPF aligned and passing — the Return-Path (envelope from) domain organizationally matches the From: domain, and SPF passed
- DKIM aligned and passing — the d= domain organizationally matches the From: domain, and DKIM passed
You only need one. In practice, DKIM alignment is more robust because:
- SPF breaks when mail is forwarded (Return-Path changes)
- DKIM signatures survive forwarding (until something modifies the body)
- DKIM is harder to spoof through misconfigured shared infrastructure
This is why I tell clients to prioritize getting DKIM alignment right first, then SPF as a secondary check.
Setting up aligned DKIM correctly
For a typical sender using one or two ESPs:
- Enable sender authentication / domain verification on each ESP.
- Publish the DKIM TXT (or CNAME) records the ESP gives you.
- Send a test message from each ESP to a Gmail account.
- Open the message, view the original/headers, and verify:
dkim=pass[email protected](matching the From: organizational domain)dmarc=pass
- Repeat for every sending platform on the same domain.
For multi-sender domains, each sender gets its own selector pointing to its own key, all signing with d=yourdomain.com. See DKIM selector examples for the naming pattern.
When alignment can't pass
Some legitimate scenarios where DKIM alignment will fail and you have to accept SPF alignment instead:
- White-labeled platforms that won't let you change the d= domain
- Legacy on-prem servers without DKIM signing
- Old vendors that haven't implemented sender authentication
In these cases, ensure SPF aligns instead. The Return-Path domain must organizationally match your From: domain. Many ESPs let you configure a custom return path for SPF alignment as a fallback.
If you're chasing DMARC failures and want help diagnosing whether the cause is alignment, authentication, or third-party sender mess, book a consultation. DKIM and SPF alignment audits are one of the most common things I run.
Sources
- RFC 7489: DMARC — Section 3.1 covers alignment
- RFC 6376: DKIM Signatures
- Microsoft Learn — DKIM Alignment in Microsoft 365
- Google Workspace — Authenticate Email with DKIM
- Public Suffix List — defines organizational domain boundaries
- M3AAWG — DMARC Training
v1.0 · May 2026
Frequently Asked Questions
What is DKIM alignment?
DKIM alignment is a DMARC requirement that the signing domain (d= in the DKIM-Signature header) must match the From: header domain. Relaxed alignment accepts organizational-domain matches; strict requires exact match. DKIM can pass authentication on its own without alignment, but DMARC requires both DKIM pass and alignment.
Why does my DKIM pass but DMARC fail?
Almost always an alignment problem. The DKIM signature is valid (the receiver verified the key), but the d= domain doesn't match the From: header organizational domain. Common with ESPs that sign with their own domain instead of yours. Fix by configuring the ESP to sign with d=yourdomain.com via sender authentication.
How do I ensure the From header aligns with either SPF or DKIM?
For DKIM alignment: configure your sending platform's domain authentication so the DKIM signature uses d=yourdomain.com (not the ESP's domain). For SPF alignment: send from a Return-Path that matches your From domain. DMARC passes if either SPF or DKIM aligns — you don't need both.
What's the difference between relaxed and strict DKIM alignment?
Relaxed (adkim=r, the default) lets subdomains align with the organizational domain — mail.acme.com aligns with acme.com. Strict (adkim=s) requires exact match — only mail.acme.com aligns with mail.acme.com. Use relaxed unless you have a specific reason to enforce strict alignment.
Does DKIM alignment need to match exactly?
Under relaxed alignment (default), no — the organizational domain must match but subdomains are allowed. acme.com signing aligns with mail.acme.com From, and vice versa. Under strict alignment, yes — exact match required. The adkim tag in your DMARC record sets which mode applies.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.