It's time to define another email technology-related term for the DELIVTERMS series here on Spam Resource. Today, what we'll tackle is alignment, something very near and dear to my own heart, as it is such an important component of email authentication success.
Alignment is defined in section 3.1 of RFC 7489, the guiding documentation behind the DMARC specification, and it refers to the required relationship between the visible sender domain and the authenticated domains checked by SPF and DKIM.
The goal of alignment is to ensure that the domain the recipient sees in the "From" header of an email is the same domain that successfully passed the underlying SPF and/or DKIM authentication checks. This closes significant loopholes inherent to email authentication – when using SPF or DKIM alone (i.e., without DMARC), attackers could pass authentication checks using one domain while displaying a different, spoofed domain in the visible "From" field.
How Alignment Works
For an email to be considered DMARC-aligned (and thus, pass DMARC checks), at least one of the following two alignment checks must pass:
SPF Alignment: For SPF (Sender Policy Framework) alignment, the domain in the visible "From" header (the one the recipient sees) must match the domain in the "Return-Path" header (also known as the RFC5321.MailFrom or Envelope From address, which is checked by SPF).
DKIM Alignment: For DKIM (DomainKeys Identified Mail) alignment, the domain in the visible "From" header must match the domain found in the d= tag within the DKIM signature header. This d= tag identifies the domain responsible for the signature.
In a perfect world, you'd always want both SPF and DKIM to "align" with your visible from domain. This is solid "belt and suspenders" methodology to ensure that email authenticates properly, even if one or the other protocol checks fail. It is common, however, for certain email platforms to not allow for SPF alignment, typically because those platforms set their own domain in the envelope from (return path), for purposes of capturing and properly logging failed email delivery attempts (i.e. bounce processing).
Strict vs. Relaxed Alignment
DMARC allows domain owners to choose between two alignment modes for SPF and DKIM, which are set using the aspf and adkim tags in the DMARC record:
Relaxed: The organizational domain (e.g., example.com in mail.example.com) must match. This allows subdomains to be used for authentication while the main domain is visible in the From header.
Strict: The domains must be an exact match (e.g., mail.example.com must match mail.example.com). This is more restrictive and offers tighter security.
It is common for email sending platforms to offer only "relaxed" alignment for SPF, while being able to offer "strict" alignment for DKIM.
The Whole Point of DMARC
By enforcing alignment, DMARC ensures that if an email appears to come from your domain, it has actually been authorized by a system sending on behalf of that specific domain, effectively blocking most domain spoofing and phishing attempts.
TL;DR? Alignment is a big part of the magic that allows DMARC to work successfully to enhance trust in email.
It's time to define another email technology-related term for the DELIVTERMS series here on Spam Resource. Today, what we'll tackle is alignment, something very near and dear to my own heart, as it is such an important component of email authentication success.
Alignment is defined in section 3.1 of RFC 7489, the guiding documentation behind the DMARC specification, and it refers to the required relationship between the visible sender domain and the authenticated domains checked by SPF and DKIM.
The goal of alignment is to ensure that the domain the recipient sees in the "From" header of an email is the same domain that successfully passed the underlying SPF and/or DKIM authentication checks. This closes significant loopholes inherent to email authentication – when using SPF or DKIM alone (i.e., without DMARC), attackers could pass authentication checks using one domain while displaying a different, spoofed domain in the visible "From" field.
How Alignment Works
For an email to be considered DMARC-aligned (and thus, pass DMARC checks), at least one of the following two alignment checks must pass:- SPF Alignment: For SPF (Sender Policy Framework) alignment, the domain in the visible "From" header (the one the recipient sees) must match the domain in the "Return-Path" header (also known as the RFC5321.MailFrom or Envelope From address, which is checked by SPF).
- DKIM Alignment: For DKIM (DomainKeys Identified Mail) alignment, the domain in the visible "From" header must match the domain found in the d= tag within the DKIM signature header. This d= tag identifies the domain responsible for the signature.
In a perfect world, you'd always want both SPF and DKIM to "align" with your visible from domain. This is solid "belt and suspenders" methodology to ensure that email authenticates properly, even if one or the other protocol checks fail. It is common, however, for certain email platforms to not allow for SPF alignment, typically because those platforms set their own domain in the envelope from (return path), for purposes of capturing and properly logging failed email delivery attempts (i.e. bounce processing).Strict vs. Relaxed Alignment
DMARC allows domain owners to choose between two alignment modes for SPF and DKIM, which are set using the aspf and adkim tags in the DMARC record:- Relaxed: The organizational domain (e.g., example.com in mail.example.com) must match. This allows subdomains to be used for authentication while the main domain is visible in the From header.
- Strict: The domains must be an exact match (e.g., mail.example.com must match mail.example.com). This is more restrictive and offers tighter security.
It is common for email sending platforms to offer only "relaxed" alignment for SPF, while being able to offer "strict" alignment for DKIM.The Whole Point of DMARC
By enforcing alignment, DMARC ensures that if an email appears to come from your domain, it has actually been authorized by a system sending on behalf of that specific domain, effectively blocking most domain spoofing and phishing attempts.TL;DR? Alignment is a big part of the magic that allows DMARC to work successfully to enhance trust in email.
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.