What is DKIM Alignment?
To understand how DKIM alignment for DMARC affects overall compliance, let’s examine its makeup. Two types of alignment tests exist. One is based on SPF, while the other is based on DKIM. The Alignment test for DKIM is performed in order to verify the authenticity of the domain sending the email by using two signatures found in the message where the sender's domain is present:
1. The <From:> domain
2. The dkim domain (d= tag) from the DKIM-Signature header
To achieve DKIM alignment, the <From:> header visible to the email receiver must match the “d=” domain in the DKIM-Signature header. By default, this test looks for a loose match between the two domains (domain/domain or parent domain/child domain) - so essentially "example.com" and "example.com" will generate a pass and so will "email.example.com" and "example.com".
NOTE: If you’ve specified your DMARC record to contain a tag of “adkim=s” the domains must be an exact match for DKIM alignment to pass (i.e., DKIM d= domain and RFC5322.From domains must be identical).
The first example will pass alignment if “adkim=s” is present. The second example will NOT pass alignment if “adkim=s” is present. The "s" value in these cases mean "strict" and by applying that tag inbox's mail servers will only allow a pass result if the two domains exactly match.
Example 1: DKIM in alignment
DKIM-Signature: v=1; ...; d=example.com; ...
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample
In Example 1, DKIM passes alignment. Why? The DKIM d= parameter and the RFC5322.From field (both highlighted above) have identical DNS domains. Therefore, the domain matches (aligns) due to an exact match.
Example 2: DKIM in alignment (default relaxed mode)
DKIM-Signature: v=1; ...; d=example.com; ...
From: sender@child.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample
In Example 2, the DKIM d= domain (first highlight) includes the Organizational domain of example.com and the RFC5322.From domain (second highlight) includes a subdomain of example.com (child.example.com). In default relaxed DKIM mode, this message passes DKIM alignment because the primary Organizational domains match (align). If the adkim=s tag had been used in the domain's DMARC record, this example would fail, as strict alignment means the domains must exactly match.
Example 3: DKIM NOT in alignment
DKIM-Signature: v=1; ...; d=example.com; ...
From: sender@microsoft.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample
In Example 3, DKIM does NOT pass alignment. Why? The DKIM domain example.com (d=example.com) does NOT match the RFC5322.From domain (microsoft.com). Because the domains do NOT match, they fail DKIM alignment.
For more DKIM alignment information/examples, please see RFC7489 Appendix B.1.2.