When we talk about email security, one term that often comes up is ‘Identifier Alignment’. But what does this mean in simple terms? Let’s break it down.
What is Identifier Alignment?
Email security technologies check different parts of an email to make sure it’s genuine. For example, DKIM (DomainKeys Identified Mail) checks the domain that added a signature to the email, while SPF (Sender Policy Framework) can check the domain in the ‘Mail From’ part of the email or the domain that the email says ‘hello’ from, or both. These might be different domains, and they’re usually not visible to the person receiving the email.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks the ‘From’ domain in the email by making sure it matches an Authenticated Identifier. The ‘From’ domain was chosen because it’s always present in proper emails, and most email programs show the ‘From’ field as the sender of the email.
This field is what people use to identify who sent the email, so it’s often targeted for abuse. Many well-known email sources, like email service providers, require that the sender has been checked before an email can be sent. So, for these email sources, DMARC provides strong evidence that the email really was sent by the person or organization it claims to be from, if the person receiving the email knows that these protections are in place.
How Does Identifier Alignment Work?
When comparing domain names in this context, they are compared in a case-insensitive manner, meaning ‘EXAMPLE.COM’ and ‘example.com’ would be considered the same.
It’s important to note that Identifier Alignment can’t happen with an email that isn’t valid, particularly one with a missing or repeated ‘From’ field, as there’s no reliable way to apply a DMARC policy to the email. DMARC only works with valid emails, and handling invalid emails is outside of its scope.
Each of the underlying authentication technologies that DMARC uses gives authenticated domains as their outputs when they succeed. From DMARC’s perspective, each can be operated in a ‘strict’ mode or a ‘relaxed’ mode. A domain owner would normally choose strict mode if they wanted DMARC to only apply to emails with a ‘From’ domain that exactly matches the domains those mechanisms will check. Relaxed mode can be used when the operator also wants to affect emails from subdomains of the verified domains.
Was this helpful?
0 / 0