DMARC DKIM Alignment Failure: Step by Step

You've deployed DMARC, configured your SPF and DKIM records, and are starting to receive aggregate reports. But when you dig into the data, you see a persistent dkim=fail or dkim=neutral status, often accompanied by disposition=none or quarantine. This indicates a DMARC DKIM alignment failure, and it's a critical issue you need to address to achieve full DMARC enforcement and protect your domain.

This article breaks down what DKIM alignment means, why it fails, and how to fix it, targeting engineers who want practical, no-nonsense solutions.

Understanding DKIM and Its Role in DMARC

Before diving into alignment, let's quickly recap DKIM (DomainKeys Identified Mail). DKIM provides a way for an organization to cryptographically sign outgoing email messages. This signature acts as a tamper-evident seal and allows the recipient server to verify two things:

1. Integrity: The email content (headers and body) hasn't been altered in transit.
2. Authenticity: The email truly originated from the domain that claims to have sent it.

When an email server signs a message with DKIM, it adds a DKIM-Signature header. This header contains several tags, most importantly: * d=: The signing domain (the domain responsible for signing the email). * s=: The selector (a specific key used by the signing domain). * bh=: Body hash. * h=: Signed header fields.

The recipient server then uses the d= and s= tags to look up a public key in the DNS of the signing domain (s._domainkey.d). If the signature validates against the public key, DKIM passes. If not, it fails.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on top of SPF and DKIM. For an email to pass DMARC, at least one of SPF or DKIM must pass and be "aligned" with the From: header domain.

What is DKIM Alignment?

DKIM alignment is the crucial link between the domain that signed the email (d= tag in DKIM-Signature) and the domain visible to the end-user (From: header). For DMARC to consider DKIM "aligned," the organizational domain of the d= tag must match the organizational domain of the From: header.

Let's clarify "organizational domain": * For example.com, the organizational domain is example.com. * For mail.example.com, the organizational domain is example.com. * For sub.domain.example.com, the organizational domain is example.com.

Relaxed vs. Strict Alignment

DMARC offers two modes for DKIM alignment, controlled by the adkim tag in your DMARC record:

• Relaxed Alignment (adkim=r): The organizational domain of the d= tag must match the organizational domain of the From: header. This means d=mail.example.com will align with From: user@example.com. This is the default and generally recommended for flexibility.
• Strict Alignment (adkim=s): The exact domain of the d= tag must match the exact domain of the From: header. This means d=mail.example.com would not align with From: user@example.com. It would only align with From: user@mail.example.com. This is rarely used unless you have very specific security requirements and tight control over all sending sources.

For the rest of this article, we'll assume relaxed alignment, as it's the most common configuration.

How DKIM Alignment Fails (Step-by-Step)

DKIM alignment failures typically stem from a mismatch between the signing domain and the From: domain. Here's a breakdown of common scenarios:

1. Third-Party Sending Services (The Most Common Culprit)

Many organizations use third-party services like Mailchimp, SendGrid, Salesforce, or HubSpot to send emails on their behalf. By default, these services often sign emails with their own domain.

Example 1: Default Third-Party Signing

You send an email via Mailchimp with your From: address set to newsletter@yourcompany.com. The DKIM-Signature header might look like this: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimp.com; s=k1; ...

Here's the breakdown: * From: header domain: yourcompany.com * DKIM-Signature domain (d= tag): mailchimp.com

Failure: yourcompany.com does not match mailchimp.com. DKIM passes the signature check (because Mailchimp's signature is valid for mailchimp.com), but it fails DMARC alignment.

How to fix it: Most reputable third-party senders allow you to set up "custom DKIM" or "domain authentication." This involves adding specific CNAME records to your DNS that delegate signing authority to the third party for your domain.

For Mailchimp, you'd typically add two CNAME records: k1._domainkey.yourcompany.com CNAME k1.dkim.mailchimp.com. k2._domainkey.yourcompany.com CNAME k2.dkim.mailchimp.com.

After configuring this, your DKIM-Signature header would change to something like: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourcompany.com; s=k1; ...

Now, From: yourcompany.com aligns with d=yourcompany.com, and DKIM alignment passes.

2. Internal Mail Server Misconfiguration

If you manage your own mail servers (e.g., Postfix with opendkim, Exim), a misconfiguration can lead to alignment failures.

Example 2: Self-hosted Server Signing with Wrong Domain

Imagine you have a server mail.yourcompany.com configured to send emails. You intend for it to sign with yourcompany.com. However, due to a typo or incorrect setup in your opendkim.conf or equivalent, it's signing with mail.yourcompany.com or even localhost.

From: header: support@yourcompany.com DKIM-Signature domain (d= tag): mail.yourcompany.com

Failure (if adkim=s): If your DMARC policy is strict (adkim=s), then yourcompany.com will not align with mail.yourcompany.com. Even with relaxed alignment, if the d= tag was localhost or an unrelated domain, it would fail.

How to fix it: * Review your mail server's DKIM configuration. Ensure the Domain or SigningDomain parameter is set to your organizational domain (yourcompany.com). * Verify the selector (s=). Make sure the selector used by your server (e.g., 202301) matches the selector in your DNS TXT record for 202301._domainkey.yourcompany.com. * Check DNS. Use dig to confirm your public key is correctly published: dig 202301._domainkey.yourcompany.com TXT The output should show a v=DKIM1; p=... record.

3. Missing or Invalid DKIM Signature

While not strictly an alignment failure, if an email lacks a valid DKIM signature, it cannot possibly align. This often manifests as dkim=none or dkim=fail in aggregate reports without a d= tag to evaluate.

Causes: * DKIM signing is not enabled on the sending server. * The DKIM public key in DNS is incorrect, expired, or missing. * The private key on the sending