Google and Alignment Update

Earlier this month, I published a post about some changes with how Google is displaying information related to authentication in their “View Original” page. There’s one condition I apparently didn’t report and it brought up a question earlier today.

If a message has alignment between DKIM and the 5322.from address but there is no DMARC record for that domain published in DNS, Google gives a warning that the domain doesn’t align.

A screenshot from "Show Original" at google that says: <p>SPF: Pass with IP 2a00:1098:88:f6:0:0:0:1</p> <p>DKIM: 'Pass: with domain blighty.com</p> <p>Alignment: The From header Laura Atkins <laura@blighty.com> does not match the DKIM domain blighty.com. Be careful with this message as the sender may be spoofing the From header identity. " class=“wp-image-17149” srcset="/2025/03/google-and-alignment-update/image-4.png 1668w, /2025/03/google-and-alignment-update/image-4-300x60.png 300w, /2025/03/google-and-alignment-update/image-4-450x90.png 450w, /2025/03/google-and-alignment-update/image-4-150x30.png 150w, /2025/03/google-and-alignment-update/image-4-768x154.png 768w, /2025/03/google-and-alignment-update/image-4-1536x308.png 1536w, /2025/03/google-and-alignment-update/image-4-720x144.png 720w, /2025/03/google-and-alignment-update/image-4-580x116.png 580w, /2025/03/google-and-alignment-update/image-4-320x64.png 320w" sizes=“auto, (max-width: 1668px) 100vw, 1668px”/></figure></p> <p>Clearly the domains do match and the message is aligned. However, there is no DMARC record published for blighty.com. </p> <p>My speculation is that the alignment message is generated from the Authentication-Results header. When you pull up “show original” google grovels through the “Authentication-Results” header to populate all of the special fields. If there is a DMARC=pass stamped in that header field Google reports “Pass”. If there’s not a DMARC=pass in the header field, Google looks for the DKIM d= value and the From header and puts those tokens into the Alignment message. </p> <p>What appears to be happening here is that Google only reports alignment in the Authentication-Results header if there is DMARC record published in DNS. If there is no record, they don’t report DMARC=Pass and therefore the default Alignment message shows up with the domain names. </p> <p>We can look at the raw headers and see all of this happening in the messages – ones with the incorrect Alignment message don’t have a DMARC=pass stamped in the headers. </p> <p>I kinda want to talk about how Google isn’t using SPF here but every time I start that paragraph my science brain kicks in and goes “but you need to test that first”. Right now we can say that our tests show that a SPF pass with DKIM unaligned (but passing) is enough to get “Alignment=Pass” if you have a DMARC record but not if you don’t. I can’t help wondering if you get a DMARC=pass with DKIM but not SPF if you still get a warning. I don’t easily have a way to send mail that fails SPF but passes DKIM so I can’t do the tests I want, nor am I sure if I could that it would give us more insight into Google’s inner workings.</p> <p>I can say I’m extremely pleased that our brand new mailserver in IPv6 space is successfully sending mail to Google and reaching the inbox even after just a few messages. It’s nice to know small mailservers can still work for small senders without a penalty from the big mailbox providers. </p> </div> <div class=

Related Posts

Google, Alignment and DMARC

Google has been making a number of changes to their systems over the last few weeks. Folks are seeing a lot of changes in Google postmaster tools and they’re seeing changes in how Google is displaying headers in the “show original” tab.

Read More

Authentication

Some notes on some of the different protocols used for authentication and authentication-adjacent things in email. Some of this is oral history, and some of it may be contradicted by later or more public historical revision.

Read More

Yahoogle Requirements Update

Since I wrote about it last month the requirements for bulk senders to Yahoo and Google have changed a little.

Read More