Your IP Address: 107.22.120.91
Located Near:
Resources
 Can Spam Act
 Securing Your Server
 How Email Works
 Email Statistics
 
How To Set Up
 DMARC Records
 SPF Records
 MX Records
 PTR Records
 DomainKeys
 DKIM Signatures
 Sender ID
 ADSP Records
 Feedback Loops
 SRS
 
Verifying Your
 Email Authentication
 Identifier Alignments
 
How To Avoid
 Spam Filters
 Being Blacklisted
 Losing Reputation
 Being an Open Relay
 
Formatting Email
 For Email Clients
 For Devices
 For Browsers
 
What Are Email
 Bounces
 Opens Rates
 Clickthrough Rates
 Email Headers

Email Authentication Identifier Alignments

Excerpt From DMARC Draft:


Email authentication technologies authenticate various (and disparate) aspects of an individual message. For example, DKIM authenticates the domain that affixed a signature to the message, while SPF authenticates the domain that appears in the RFC5321.MailFrom portion of SMTP. The DMARC mechanism introduces the concept of Identifier Alignment to address the possible discrepancy of Authenticated Identifiers supplied by underlying authentication technologies.

DMARC uses the RFC5322.From domain to tie together Authenticated Identifiers. The selection of the RFC5322.From domain as the central identity of the DMARC mechanism is due to the ubiquity of this identity and the behavior of most MUAs to represent the RFC5322.From field as the originator of the message and to render some or all of this header's content to end users.

To be considered "in alignment" for the purposes of the DMARC mechanism, implementers MUST observe the considerations described in the following sections. Domain names in this context are to be compared in a case-insensitive manner.

Enough with the Technical Jargon, in English Please.


Basically, what the above excerpt is trying to explain, is that there are two different modes that email servers take into account when figuring out SPF and DKIM, which is relaxed and strict. SPF and DKIM both use the domain "FROM" address, ie (mailtest@unlocktheinbox.com) which in this case is "unlocktheinbox.com" and compares it to the "return-path (enveloped-sender)" for SPF or the "d=" tag in the domain signature for DKIM.

SPF Strict Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red.
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in RED match exactly, it's considered to be SPF Strict Compliance.

DKIM Strict Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red.
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in RED match exactly, it's considered to be DKIM Strict Compliance.

SPF Relaxed Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red.
Return-path: <mailtest@amazing.unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@awesome.unlocktheinbox.com>
If the two section highlighted in ORANGE Sub-domains don't match, this is considered to be SPF Relaxed Compliance.

DKIM Relaxed Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red.
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=amazing.unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@awesome.unlocktheinbox.com>
If the two section highlighted in ORANGE match exactly, it's considered to be DKIM Relaxed Compliance.

SPF Unaligned Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red.
Return-path: <mailtest@example.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in BLUE domains don't match, this is considered to be SPF Unaligned Compliance.

DKIM Unaligned Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red.
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=example.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in BLUE match exactly, it's considered to be DKIM Unaligned Compliance.

Where does DMARC come into play in all of this?


DMARC has some optional tags that can be set (adkim and aspf), each of these tags can have two values "r" for relaxed and "s" for strict. By default, if these tags are not supplied, relaxed is assumed. If you set these tags to "s" for strict compliance and in reality your adkim and aspf are "relaxed", you emails will fail DMARC compliance. But if, you're set to "relaxed" and your actual compliance is "strict", you will still pass DMARC compliance. You can read about the DMARC Identifier Alignment settings here: DMARC Identifier Alignment

What's the easy way to test my SPF and DKIM Identifier Alignments?


Simply send an email to "mailtest@unlocktheinbox.com" and it will auto-respond with your email identifier alignment settings.

Source: Unlock The Inbox
Sponsored Links