Email Security Blog

What is Identifier Alignment?

Danielle Tristao October 7, 2014 DMARC
Fallback Featured Image

When you begin to work with DMARC, you realize just how important identifier alignment is. Identifier alignment forces the domains authenticated by SPF and DKIM to have a relationship to the “header From” domain.

Header Form Domain

Header From Domain and the MailFrom domain are different?

Yes, they are! Hearing these terms can confuse people. They sound like the same thing, but in reality they are not. The differences between these two domains could be the difference between your mail being rejected or allowed. To understand alignment, you need to understand the differences between these two domains:

Header From Domain

This is the domain portion of the email address that is most commonly visible to end users in the “From:” field displayed in an email client. In this example the email shows “From: Agari <>”. “Agari” is the display name, while “” is the header From domain.

DKIM sign

MailFrom Domain

This identifier is used by the SPF authentication mechanism. It is the domain portion of the email address that is commonly found in the “Return-Path” message header. This is also commonly known as the bounce address. End users will not see this email address in a typical mail client unless they choose to view detailed message headers or full message source.


The MailFrom domain has multiple personalities. Besides being known as the Bounce address, it is also known as the envelope address—or if you want to get fancy, you can call it the 5321 MailFrom (named for the specification RFC 5321)

DKIM Signing Domain

This identifier is used by the DKIM authentication mechanism. It is the domain designated by the ‘d=’ tag in the DKIM signature. The DKIM public key used to decode the DKIM signature in a message is discovered from a DNS lookup that combines this ‘d=’ domain with the DKIM selector (‘s=’), also in the DKIM signature.

Now that we understand the difference between Header from and MailFrom domains, Lets get aligned!

There are two different types of configurable alignment: “Strict” Alignment and “Relaxed” Alignment. In “strict” alignment mode the domains must be an exact match. In “relaxed” alignment mode the domains can be different sub-domains of the same organizational domain. For example, an email address of would work in “relaxed” alignment.

Identifier alignment is a big part of implementing DMARC successfully. DMARC is all about ensuring your email authenticates to your organization. To understand the differences between Header From domains and MailFrom domains and how to stay aligned, keeps you ahead of the game and on your way to securing your reputation!

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

mobile image