When it comes to email security, two terms you might come across are DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). But what do these mean, and how do they work together? Let’s break it down.

What is DKIM?

DKIM is a way of checking that an email really was sent by the domain it claims to be from and hasn’t been tampered with on the way. It does this by adding a digital signature to the email, which can be checked by the person receiving the email.

How Does DMARC Use DKIM?

DMARC uses DKIM to check the ‘From’ domain in the email. It can do this in two ways: ‘strict’ mode or ‘relaxed’ mode. These aren’t related to DKIM’s ‘simple’ and ‘relaxed’ modes, which are about how the email is processed.

In relaxed mode, DMARC checks that the organizational domains of the DKIM-authenticated signing domain (taken from the ‘d=’ tag in the signature) and the ‘From’ domain are the same. An organizational domain is the domain that was registered with a domain name registrar.

In strict mode, DMARC checks for an exact match between the fully qualified domain names (FQDNs) of the DKIM-authenticated signing domain and the ‘From’ domain. A fully qualified domain name is the complete domain name for a specific computer or host on the internet.


Let’s say you receive an email with a ‘From’ address of ‘[email protected]’, and the DKIM signature verifies with a ‘d=’ domain of ‘example.com’.

In relaxed mode, DMARC would consider the DKIM domain and the ‘From’ domain to be ‘in alignment’, because the organizational domains (‘example.com’) are the same.

In strict mode, this test would fail, because the ‘d=’ domain (‘example.com’) doesn’t exactly match the ‘From’ domain (‘news.example.com’).

However, a DKIM signature with a ‘d=’ value of ‘com’ would never be considered ‘in alignment’, because ‘com’ is a top-level domain and can’t be an organizational domain.

Why is Identifier Alignment Important?

Identifier Alignment is important because an email can have a valid signature from any domain, including domains used by a mailing list or even a bad actor. So, just having a valid signature isn’t enough to prove that the ‘From’ domain is genuine.

It’s also worth noting that a single email can have multiple DKIM signatures, and DMARC will consider it a ‘pass’ if any DKIM signature is aligned and verifies.

Was this helpful?

0 / 0

Leave a Reply 0

Your email address will not be published. Required fields are marked *