DKIM Alignment Explained — What Fails vs What Passes (Blue Canoe)

Last updated: 2025‑09‑09 • Owner: Blue Canoe

DKIM signs mail with a domain (d=) using a private key. Receivers fetch your public key via DNS and verify the signature. DMARC then checks whether that DKIM domain aligns with the visible From: domain.

1) Alignment basics

  • Relaxed alignment (adkim=r)From: brand.com aligns with DKIM d=sub.brand.com (subdomains allowed).
  • Strict alignment (adkim=s) — requires exact match between From: domain and DKIM d= (no subdomain drift).

Either SPF or DKIM can provide alignment for DMARC to pass. In practice, you want DKIM pass + alignment as the reliable path (SPF breaks on forwarding).

2) What to configure with vendors

When onboarding a sender (newsletters, CRM, helpdesk, etc.):

  1. Custom DKIM: Ask the vendor to sign with your domain (ideally the organizational domain, e.g., blue-canoe.com). They’ll give you one or more selector._domainkey.blue-canoe.com CNAME/TXT records.
  2. Envelope choices: Set the visible From: to a domain that you control and that matches your DKIM d= policy (strict vs relaxed).
  3. SPF (optional safety net): Include their envelope domain, but don’t rely on SPF for DMARC pass through forwarders.
  4. Subdomain strategy: If they can’t sign as blue-canoe.com, use a subdomain like mail.blue-canoe.com and keep adkim=r until you can consolidate.

Goal state: All vendors sign as d=blue-canoe.com (or a small set of well‑known subdomains), using 2048‑bit keys and rotating selectors periodically.

3) Alignment pass/fail examples

Pass (relaxed):

  • From: hello@blue-canoe.com, DKIM d=mailer.blue-canoe.com, adkim=raligns.
  • From: alerts@mail.blue-canoe.com, DKIM d=mail.blue-canoe.comaligns.

Fail (strict):

  • From: hello@blue-canoe.com, DKIM d=mailer.blue-canoe.com, adkim=sfails (subdomain mismatch).

Fail (any mode):

  • From: hello@blue-canoe.com, DKIM d=vendor-mail.comfails (different org domain).

4) Testing & keys

  • Use a throwaway alias at a major provider (e.g., Gmail) and inspect Show original/headers.
  • Ensure selectors are 2048‑bit and published at selector._domainkey.domain.tld.
  • Rotate keys annually or per vendor risk. Retire unused selectors to reduce attack surface.
  • Keep body canonicalization stable (relaxed/relaxed is typical), avoid ESPs that rewrite your From: mid‑flight.

5) Troubleshooting alignment

  • Forwarding: SPF fails commonly; ensure DKIM pass + alignment.
  • Multiple brands: Either split by subdomain or different From: domains with matching d= per brand.
  • ESP “friendly from”: Some ESPs rewrite the friendly name; ensure the domain part remains your brand.
  • DMARC at reject: Temporarily set pct= to stage changes; use rua to watch impact before 100% enforcement.

6) TL;DR rollout

  1. Ensure every sender signs with a DKIM d= you control.
  2. Keep DMARC adkim=r during migration.
  3. Move to adkim=s once everything signs as the parent domain.