You can make out who sent you an email using the address in the ‘From’ field of an email. However, this field is not verified by any email authentication protocol. This is because authentication protocols including SPF and DKIM work on the multiple addresses found in the email headers and not on the human-readable mail-from address. This is where identity alignment comes into the picture.

The addresses contained in an email

There are several addresses in an email. Some of them are reader-friendly, which you can understand. Others are signature addresses of the underlying SPF and DKIM protocols. Both SPF and DKIM individually work on their own set of addresses for validating an email.

Since neither of them include the mail-from address, SPF and DKIM on their own cannot become self-reliant in protecting your domain against misuse. This is because the mail-from address can easily be masked using domain spoofing and lookalike domains.

The solution is DMARC and more precisely, DMARC’s ability of ensuring identity alignment or domain alignment.

How does Identity Alignment work?

DMARC is the only protocol which works on the human-readable address of an email. First, it relies on SPF and DKIM for authenticating all the cryptic header addresses. After their individual processes, both SPF and DKIM provide an authenticated domain each. Then it’s just a matter of matching the SPF and DKIM output with the address in the mail-from part.

Only if the two domains match does DMARC greenlight an email as properly authenticated.

Such domains are considered as ‘aligned’ domains or aligned identities. DMARC will consider the result of either SPF or DKIM to match with the domain in the visible mail-from address.

Alignment Modes of DMARC

There are strict and relaxed identity alignments.

A strict alignment mode forces DMARC to authenticate an email only if the two domains are exactly identical.

A relaxed mode aligns domains even if just the organizational domain matches with the one in the mail-from address.

What happens if identities aren’t aligned?

If you have implemented DMARC? Nothing. DMARC simply disregards emails for which the domains won’t align. It does not force SPF or DKIM to overrule their ‘verdicts’ simply because the human-readable mail-from address is one which has been whitelisted previously in the DMARC records. DMARC just won’t authenticate such emails. In this way, potential threats never reach you.

But if you haven’t implemented DMARC? Trouble’s ahead of you. It is very difficult to make an email seem as if it’s originating from one address when its actual origin is some other address. But it’s a whole lot easier to spoof the mail-from address of an email. This is the address which catches our eye, and the one which we rely on to assume the validity of an email. Without DMARC, your domain is not protected against spoofing and misuse.

We highly recommend implementing DMARC as the trends show that soon, DMARC will be a mandatory email authentication tool.

Need some help with DMARC? Drop us a call-back request and allow us to help you achieve maximum domain protection.