DKIM and DMARC alignment
How DKIM alignment works, why DKIM is more resilient than SPF for DMARC, and what aggregate reports can show.
DKIM lets a sending server cryptographically sign each outgoing message. The signature travels in the message headers and can be verified by any receiver that looks up the sender's public key in DNS. For DMARC purposes, the key question is whether the domain in that signature matches your From header domain.
DKIM selectors and signing domains
A DKIM signature lives in the DKIM-Signature header. The two fields that matter for DMARC are:
d=: the signing domain (e.g.yourdomain.com)s=: the selector, which identifies which key to use (e.g.google,s1,pm)
The public key for that signature lives in DNS at <selector>._domainkey.<domain>. For a selector of google and domain yourdomain.com, the lookup is:
google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGf..."Receivers look up that record, use the public key to verify the signature, and check whether the d= domain aligns with the From header domain. If both checks pass, DKIM alignment passes for DMARC.
How DKIM survives forwarding
When a recipient forwards your email, the forwarding server sends it from a different IP address. That breaks SPF immediately because the new IP isn't in your SPF record.
DKIM works differently. The signature is embedded in the message headers and travels with the message regardless of which servers relay it. As long as nobody modifies the signed content, the signature remains valid at the final destination.
This makes DKIM the more reliable mechanism for DMARC in real-world mail delivery. SPF is fragile to forwarding; DKIM is not.
One exception: mailing list software that modifies messages before redelivery. Adding a subject prefix ([List]), inserting a footer, or changing headers can break the signature. If you see DKIM failures from otherwise legitimate sources, this is usually why.
Vendor DKIM setup: CNAME vs TXT
Most email service providers give you two ways to set up DKIM signing for your domain.
CNAME-based (SendGrid, Postmark, Resend, Mailchimp): Add one or more CNAME records that point to the provider's key infrastructure. The provider rotates keys on their end; you never touch the DNS records again. The DKIM signature still uses d=yourdomain.com, so DMARC alignment works.
TXT-based (Google Workspace): Generate a key pair in the provider's admin console, then add the public key as a TXT record at <selector>._domainkey.yourdomain.com. You own the key and are responsible for rotating it.
For most senders, CNAME-based setup is lower-maintenance. The tradeoff is trusting the provider's key infrastructure. In practice this is rarely a problem with major ESPs.
Why DKIM is more reliable than SPF for DMARC
Survives forwarding. DKIM signatures travel with the message. SPF breaks when the forwarding server's IP isn't in your record.
No lookup limit. SPF is constrained to 10 DNS lookups (RFC 7208 §4.6.4). DKIM has no such limit; each check is a single lookup for the selector record.
You control the signing domain. The d= domain is what gets checked for alignment. With proper setup, that domain is yours regardless of which ESP sends the mail.
Multiple selectors. You can have several selectors active simultaneously, enabling zero-downtime key rotation: add a new selector, update signers, then retire the old one.
The main weakness is that DKIM breaks if signed message content is modified in transit. SPF has no equivalent fragility.
What DMARCdrift can and cannot detect
DMARC aggregate reports include the DKIM result (pass or fail) and the signing domain for each source. DMARCdrift surfaces these per-sender in your domain's report view.
What you can see:
- Whether DKIM passed or failed for a given source
- Which domain (
d=) was used in the signature - Whether that domain aligned with your From domain
What you cannot see:
- The private key or signature bytes
- Individual message details (aggregate reports group messages by source, not per-email)
- Which selector was used (the signing domain is reported; the selector is not)
If a source shows DKIM passing but DMARC alignment failing, the d= domain doesn't match your From domain. That usually means the vendor is signing with their own domain rather than yours, and you need to configure custom DKIM for that service.
See also: SPF and DMARC alignment: how SPF differs from DKIM and why forwarding breaks it. Relaxed vs strict DMARC alignment: how organizational domain matching affects alignment checks.