DMARC ADKIM Tag
The optional adkim tag refers to the alignment mode for the DKIM protocol. Successful alignment occurs when your email’s parent (root) domain of the DKIM signing domain matches the “Header From” domain. This descriptor can be set in either the r (relaxed) or s (strict) mode. If omitted in your DMARC policy, the adkim tag defaults to adkim=r (relaxed).
Examples of adkim
Relaxed DKIM Alignment
In relaxed (r) alignment, the DKIM domain and the Header From domain must be an exact match or a parent/child match (i.e. example.com and child.example.com). The parent/child match type allows any subdomain and parent domain pair to generate a PASS result. Also worth noting, in the parent/child match scenario either the DKIM domain or the Header From domain can be the parent or the child domain. When the relaxed setting is specified in a DMARC record it will look like the below example:
| Relaxed DKIM Alignment tag in a DMARC record (adkim=r) |
| v=DMARC1; p=quarantine; pct=25 ; rua=mailto:dmarcreports@mxtoolbox.com; ruf=mailto:dmarcfailurereports@mxtoolbox.com; adkim=r; |
Pass / Fail Scenarios in Relaxed Alignment
| DKIM Domain is |
Header From Domain is |
Result is |
| mail.example.com |
example.com |
PASS |
| example.mail.com |
example.com |
FAIL |
Strict DKIM Alignment
In strict (s) alignment, a DMARC record will expressed with the adkim=s tag published as illustrated below:
| Strict DKIM Alignment tag in DMARC record (adkim=s) |
| v=DMARC1; p=quarantine; pct=25 ; rua=mailto:dmarcreports@mxtoolbox.com; ruf=mailto:dmarcfailurereports@mxtoolbox.com; adkim=s; |
Pass / Fail Scenarios in Strict DKIM Alignment
Now, with adkim=s tag published, the DKIM domain and the Header From domain must exactly match. Below are two examples, one displaying an exact match generating a PASS result and another displaying parent/child domains that generat a FAIL result.
| DKIM Domain is |
Header From Domain is |
Result is |
| mail.example.com |
mail.example.com |
PASS |
| mail.example.com |
example.com |
FAIL |