Your IP Address: 54.235.20.17
Located Near:
Unlock The Inbox 30,646,603 Queries and Counting Follow Us On FacebookTrack Us on TwitterSubscribe To Our FeedSubscribe To Our YouTube ChannelParticipate in our Forums
   
Resources
Can Spam Act
Securing Your Server
How Email Works
 
How To Set Up
DMARC Records
SPF Records
MX Records
PTR Records
DomainKeys
DKIM Signatures
Sender ID
ADSP Author Domain Signing Practices ADSP Records
Feedback Loops
Abuse Contacts
SRS - Sender Rewriting Scheme SRS
 
Verifying Your
Email Authentication
ADSP Author Domain Signing Practices Identifier Alignments
 
How To Avoid
Spam Filters
Being Blacklisted
Losing Reputation
Being an Open Relay
 
Formatting Email
For Email Clients
For Devices
For Browsers
 
What Are Email
Bounces
Opens Rates
Clickthrough Rates
Email Headers

Email Authentication Identifier Alignments

Excerpt From DMARC Draft:


Email authentication technologies authenticate various (and disparate) aspects of an individual message. For example, DKIM authenticates the domain that affixed a signature to the message, while SPF authenticates the domain that appears in the RFC5321.MailFrom portion of SMTP. The DMARC mechanism introduces the concept of Identifier Alignment to address the possible discrepancy of Authenticated Identifiers supplied by underlying authentication technologies.

DMARC uses the RFC5322.From domain to tie together Authenticated Identifiers. The selection of the RFC5322.From domain as the central identity of the DMARC mechanism is due to the ubiquity of this identity and the behavior of most MUAs to represent the RFC5322.From field as the originator of the message and to render some or all of this header's content to end users.

To be considered "in alignment" for the purposes of the DMARC mechanism, implementers MUST observe the considerations described in the following sections. Domain names in this context are to be compared in a case-insensitive manner.

Enough with the Technical Jargon, in English Please.


Basically, what the above excerpt is trying to explain, is that there are two different modes that email servers take into account when figuring out SPF and DKIM, which is relaxed and strict. SPF and DKIM both use the domain "FROM" address, ie (mailtest@unlocktheinbox.com) which in this case is "unlocktheinbox.com" and compares it to the "return-path (enveloped-sender)" for SPF or the "d=" tag in the domain signature for DKIM.

SPF Strict Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red. 
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in RED match exactly, it's considered to be SPF Strict Compliance.

DKIM Strict Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red. 
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in RED match exactly, it's considered to be DKIM Strict Compliance.

SPF Relaxed Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red. 
Return-path: <mailtest@amazing.unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@awesome.unlocktheinbox.com>
If the two section highlighted in ORANGE Sub-domains don't match, this is considered to be SPF Relaxed Compliance.

DKIM Relaxed Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red. 
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=amazing.unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@awesome.unlocktheinbox.com>
If the two section highlighted in ORANGE match exactly, it's considered to be DKIM Relaxed Compliance.

SPF Unaligned Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red. 
Return-path: <mailtest@example.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=unlocktheinbox.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in BLUE domains don't match, this is considered to be SPF Unaligned Compliance.

DKIM Unaligned Identifier Alignment Example


Below is a sample header from an email, pay attention to the domain highlighted in red. 
Return-path: <mailtest@unlocktheinbox.com>
Envelope-to: user@domain.com
Delivery-date: Sun, 08 Jul 2012 23:53:18 -0400
Received: from unlocktheinbox.com ([168.144.32.45]:61622
        helo=mail.unlocktheinbox.com)
    	by domain.com with esmtps (TLSv1:AES128-SHA:128)
    	(Exim 4.77)
    	(envelope-from <mailtest@unlocktheinbox.com>)
    	id 1So52B-0003gB-A8
    	for user@domain.com; Sun, 08 Jul 2012 23:53:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
     d=example.com; s=secure;
     h=from;
     bh=o3fu6xyRMvsfFmwnP6/SlW7vJ99RrE0ChDczpE+HayQ=;
     b=ODihl0g56Upldz3ETsFkFlY5EyPNJecpftbJxQHaBzHVOOzqpr0NaJTEBZ3aOLOR0
     piHemvHGHtVtEM0jH0RUJ2MG22gEuUnXA8No6mqgJEs47P/9APKG45SVy7O1XNpK7
     2dzD8iGgb4aguGwvYMO1lrsv+I7Wtj0J+Ev98b4Xg=
Received: from [168.144.32.46] (VPS9517.ad3.softcom.biz [168.144.32.46])
     by mail.unlocktheinbox.com with SMTP;
     Sun, 8 Jul 2012 23:53:06 -0400
Content-Type: multipart/alternative;
    	boundary="8f11c861-b8a2-41ca-86eb-d8c8c35f649c"
MIME-Version: 1.0
Subject: Your Email Authentication Results!
Message-ID: <1c5d45d9-51f7-4b52-a18b-e9156c5c8a07@unlocktheinbox.com>
Date: Sun, 08 Jul 2012 23:53:06 -0400
From: "Unlock The Inbox" <mailtest@unlocktheinbox.com>
If the two section highlighted in BLUE match exactly, it's considered to be DKIM Unaligned Compliance.

Where does DMARC come into play in all of this?


DMARC has some optional tags that can be set (adkim and aspf), each of these tags can have two values "r" for relaxed and "s" for strict. By default, if these tags are not supplied, relaxed is assumed. If you set these tags to "s" for strict compliance and in reality your adkim and aspf are "relaxed", you emails will fail DMARC compliance. But if, you're set to "relaxed" and your actual compliance is "strict", you will still pass DMARC compliance. You can read about the DMARC Identifier Alignment settings here: DMARC Identifier Alignment

What's the easy way to test my SPF and DKIM Identifier Alignments?


Simply send an email to "mailtest@unlocktheinbox.com" and it will auto-respond with your email identifier alignment settings.

Source: Unlock The Inbox
Sponsored Links

Privacy Notice  |  Terms of Use  |  Site Map |  FAQ's  |  Donate  |  Forums  |  Contact Us
Copyright © 2013 Unlock The Inbox