How can DMARC alignment reduce domain impersonation?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you get an email from ceo@deepcurrent.io asking for an urgent wire transfer. The address looks right. The name looks right. But the actual email never touched deepcurrent.io's servers at all. That's exact domain spoofing, and it's one of the oldest tricks in the phishing playbook.

DMARC alignment is what stops it. Here's how it works in plain terms.

When you send an email, there are two layers of identity at play. First, there's the SPF check, which verifies the sending server against your DNS record. Second, there's the DKIM signature, which cryptographically signs the message using your domain's private key. Both of those are invisible to the recipient. What they see is the visible From address in their inbox.

DMARC alignment requires that the domain in the visible From header matches the domain that passed either SPF or DKIM. Not just any domain. Your domain specifically. So if an attacker sends from their own server (which passes SPF for their domain) but puts ceo@deepcurrent.io in the From address, alignment fails. The domains don't match. DMARC catches that mismatch and instructs the receiving server to reject or quarantine the message, depending on your policy.

From the recipient's perspective at Gmail or Outlook, a failed DMARC check with a p=reject policy means that spoofed email never arrives. It doesn't go to spam. It doesn't land with a warning. It gets dropped entirely before it ever touches an inbox.

Strict vs. relaxed alignment also matters here. Relaxed alignment (the default) allows subdomains to count. So mail.deepcurrent.io can pass alignment for deepcurrent.io. Strict alignment requires an exact match. If you're worried about subdomain abuse, strict is the stronger setting.

That said, DMARC alignment is not a complete impersonation shield. It protects your exact domain. It doesn't protect against:

  • Lookalike domains like deepcurr3nt.io or deep-current.io (the attacker owns those, so they can pass their own DMARC just fine)
  • Display name spoofing, where the From address is legit but the visible name reads "CEO of DeepCurrent" to fool the reader
  • Subdomain spoofing if your sp= policy isn't set and you're only protecting the root domain

Think of DMARC alignment as a lock on your front door. It stops anyone from walking in claiming to be you. But it can't stop someone from standing outside wearing your uniform. For those scenarios, you need separate monitoring for lookalike domains.

But if you want to verify your DMARC record is set up correctly right now, you can run it through our free DMARC Parser. And if you're not sure whether your policy is actually enforcing anything, that's the first place to check.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a personalised DMARC alignment assessment

I want to understand how DMARC alignment protects my domain from impersonation. Here are my details: - My sending domain: your domain - Current DMARC policy (none/quarantine/reject): your policy - Alignment mode (relaxed/strict): relaxed or strict - Do you use subdomains for sending?: yes/no - Main concern (phishing, BEC, spoofed campaigns): describe Based on this, please tell me: (1) whether my current setup actually blocks spoofed emails, (2) what alignment gaps might exist, and (3) whether I need stricter settings for my use case.

Edit the yellow boxes, then send to the AI of your choice.