DKIM Alignment – Matching of Header Domains

DKIM Alignment – Matching of Header Domains

screenshot 2022 03 31 at 22.40.40

In email marketing, email service providers are predominantly used for the technical creation and sending of emails.

However, the content and campaigns are developed and created by a brand. Reputable brands send the campaigns and content in their own name using their own widely recognised brand domain.

If the domains in the header of an email are signed by a DKIM, the mailbox provider knows that they have not been misused. Only a legitimate user of the domain can store the public key for the DKIM in the DNS and at the same time add the signature using the private key.

We refer to DKIM alignment as the correspondence between the domains used in the individual headers of an email (Header.From, Mail.From, Reply-To and others) and the domain “d=” of at least one DKIM signature.

Single or multiple signatures

Basically, there are no specifications as to the maximum number of DKIM signatures an email may contain. As a result, it is theoretically possible to include a DKIM signature for every single domain used.

However, if you consider the multitude of theoretically possible domains in an email header and body, such as

  • From as specified in RFC5322
  • From as specified in RFC5321
  • Reply-To
  • list header
  • link tracking
  • image links
  • other domains,

it becomes clear that adding the necessary DKIM signatures in the email header can make it very confusing and complex.

It is, therefore, wise to configure an email setup in such a way that there can be a meaningful use of domains and DKIM signatures.

Scope of the DKIM Alignment

Basically, we distinguish between simple, full or extended DKIM alignment:

  • Simple DKIM Alignment -> DKIM domain matches the Header.From domain (RFC5322) at least at the organisational level
  • Full DKIM Alignment -> DKIM domain matches the Header.From domain (RFC5322) and the Mail.From domain (RFC5321) at least at the organisational level
  • Extended DKIM alignment -> DKIM domain matches the Header.From domain (RFC5322), the Mail.From domain (RFC5321) and other domains of the email header (Reply-to, List header, others) at least at the organisational level

Relaxed or strict DKIM alignment

In addition, the DKIM alignment can be set as relaxed or strict. In this further categorisation, the organisational domains of a sender or a brand, or the subdomains of these organisational domains that are used, play a role.

  • Relaxed DKIM Alignment -> the correspondence of the DKIM domain with the header domains at the organisational level – E.g. example.com -> child.example.com
  • Strict DKIM Alignment -> the exact match of the DKIM domain with the header domains – E.g. example.com -> example.com or child.example.com -> child.example.com

The most common best practice examples

Essential and decisive for the successful delivery of emails to the inbox are the Header.From Domain as specified by RFC5322 and Mail.From Domain as specified by RFC5321. Accordingly, a DKIM signature should be created that covers both From headers simultaneously – full DKIM alignment.

Example – simple, relaxed DKIM alignment

DKIM Domain = example.com
5322.From = child1.example.com

Example – simple, strict DKIM alignment

DKIM Domain = child.example.com
5322.From = child.example.com

Example – complete, relaxed DKIM alignment

DKIM Domain = example.com
5322.From = child1.example.com
5321.From = child2.example.com

Example – complete, strict DKIM alignment

DKIM Domain = child.example.com
5322.From = child.example.com
5321.From = child.example.com

DKIM Alignment in accordance with item 2.21 of the CSA criteria

With the update of the CSA criteria, all emails from a sender must contain a DKIM Alignment from 18.01.2022 onwards. According to item 2.21 of the CSA criteria, this means at least the relaxed match of the “d=” tag of at least one DKIM signature with the domain from the From header (RFC5322), at least at the organisational level.

Example – simple, relaxed DKIM alignment

DKIM Domain = example.com
5322.From = child1.example.com

Comments are closed.