What is identifier alignment in DMARC?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've heard that DMARC checks if your domains "align," but what does that actually mean? At its core, identifier alignment is DMARC's way of making sure the email address the recipient sees (the From header) actually matches the domain that authenticated the message.

And Here's the problem DMARC solves. Attackers can forge the From header to look like it came from paypal@example.com even though they're sending from a completely different server. SPF and DKIM can authenticate the real sender, but if those authenticated domains don't match the visible From header, the recipient won't trust the email. That's where alignment comes in.

DMARC requires that either your SPF domain or your DKIM domain (or both) align with your From header domain. "Align" means they match (with some flexibility depending on your settings). If neither one matches, DMARC fails, and your authentication policy kicks in (quarantine, reject, or just monitor).

Why does this matter? Because alignment is what actually stops impersonation. Without it, an attacker could get past SPF by spoofing an internal server, or bypass DKIM by signing with a different domain. Alignment is the lock that ties everything together. You control alignment strictness with settings like aspf and adkim in your DMARC policy to decide how tight that lock should be.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check your DMARC alignment

What does it mean when DMARC says my domains don't align? How do I fix it?

Edit the yellow boxes, then send to the AI of your choice.