SPF and DKIM Alignment: What are they and why do they matter?

If you have implemented DMARC for your email sending domain, the spec requires that your messages either pass "SPF alignment" or "DKIM alignment." Here's what those are and why they are important (and why you should always do both).

SPF alignment is where the mail you send has a return-path domain (aka the sender domain or bounce domain) that matches your from address domain. A DMARC record uses the "aspf" setting to govern how tightly this is checked. If you do not include the "aspf" setting (and you don't need to), then the default "relaxed" setting will be applied.


If the domains match, then you've successfully passed the SPF alignment check. If the domains do not match, then you've failed the SPF alignment check.

What counts as a match? Here's both relaxed and strict examples:

This is a successful relaxed SPF-aligned set of headers:
Return-Path: bounce-12345@bounce.spamresource.com
From: newsletter@spamresource.com
This matches because both the return-path (bounce) domain and from domain are part of the same domain (spamresource.com). Because it is the relaxed (default) setting, a subdomain match is close enough (bounce.spamresource.com matching spamresource.com).

If your DMARC record includes "aspf=s" (strict) then the domains have to match exactly. The above example would fail SPF alignment because "bounce.spamresource.com" does not exactly match "spamresource.com."

This is a successful strict SPF-aligned set of headers:
Return-Path: newsletter@spamresource.com
From: newsletter@spamresource.com
This matches because both the return-path (bounce) domain and from domain are the exact same domain (spamresource.com).

This would fail the "SPF alignment" test:
Return-Path: bounce-12345@bounce.spamresource.com
From: newsletter@wombatmail.com
This would fail either a strict and/or relaxed (default) SPF alignment check, because "spamresource.com" and "wombatmail.com" are different domains.

That's SPF alignment. Now, let's review DKIM alignment.

DKIM alignment is a bit simpler. Successful DKIM alignment means that your DKIM "d=" domain (the domain you're signing for with a DKIM signature) exactly matches the domain used in your from address. Here's an example of a header snippet that shows that the DKIM "d=" domain is xnnd.com and the domain in the from address is also xnnd.com. This message passes the DKIM alignment check.

Authentication-Results: happydance.xnnd.com; dkim=pass
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=xnnd.com; s=x; t=1567713062; bh=Zw/RlvF6ULJHFKg+HQrAUB5/DtCqJwS50FJKVwCDlhQ=; h=Date:Reply-to:List-Unsubscribe:List-Id:From:Subject:To:From; b=VluvorKp...(etc.)
From: newsletter@xnnd.com

The DKIM and SPF alignment checks don't show up in Gmail (or other ISP's) authentication results directly, but you can infer them by looking for DMARC failures and manually reviewing the header settings to see if either DKIM or SPF fail to align.

To pass DMARC, only one of these have to pass. So even if your return-path domain doesn't match your from domain -- meaning you fail the SPF alignment check -- if your DKIM signature aligns, you'd pass DMARC.

Still, in my opinion, it's very much best practice to ensure messages comply with both SPF and DKIM alignment requirements. If you don't, I think you'll see an elevated number of bounces due to DMARC failures. 

There are a couple of reasons why. First, various email filters clobber or don't always check DKIM signatures. A clobbered DKIM signature -- most likely seen as a "body hash did not verify" authentication error, means some intermediate or receiving mail server changed something in the email message, and whatever they changed was a field or content area protected (signed) by the DKIM signature. If you change the message, the DKIM signature is no longer valid. That's the point of DKIM -- providing proof that a message was not modified after the sender initiated it. Or in this case, providing proof that it was modified and thus, the signature can no longer be trusted.

If you don't have SPF alignment in place, but do have DKIM alignment in place, if something happens to invalidate that DKIM signature, then all you have left is the SPF alignment check. Your message won't pass it, and the message will fail DMARC, and may be rejected.

If you do have SPF alignment in place, but don't have DKIM alignment properly configured (or don't have DKIM in place at all), this is almost better than the reverse. These messages will pass SPF, and have proper SPF alignment in place, and they'll pass DMARC. Except in the case of email forwarding. Email forwarding is incompatible with SPF; SPF is based on checking the IP address of the "last hop" (most recent) mail server, and if mail is forwarded, it adds additional hops, and now the receiving mail server is no longer checking the correct IP address. Those messages will fail SPF, and the lack of DKIM alignment and/or lack of a DKIM signature will make the messages fail DMARC. These messages are also likely to be rejected.

Mail forwarding isn't easy in a world with DMARC. Thankfully, most folks have figured that out and don't blindly forward messages in ways that are incompatible with DMARC. But there are still a lot of legacy systems out there-- not everybody is up to date or considers DMARC compatibility to be a top priority. So you will see occasional issues due to this.
DMARC can be complex, but don't be afraid. My point here being that I do think you should implement DMARC to help protect your domain from unauthorized use. I just think you should do it ONLY if you can also ensure that the mail you send will pass both SPF alignment and DKIM alignment, to protect against these potential failure points.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.