Google and Alignment Update

Earlier this month, I published a post about some changes with how Google is displaying information related to authentication in their “View Original” page. There’s one condition I apparently didn’t report and it brought up a question earlier today.

If a message has alignment between DKIM and the 5322.from address but there is no DMARC record for that domain published in DNS, Google gives a warning that the domain doesn’t align.

A screenshot from "Show Original" at google that says:
<p>SPF: Pass with IP 2a00:1098:88:f6:0:0:0:1</p>
<p>DKIM: 'Pass: with domain blighty.com</p>
<p>Alignment: The From header Laura Atkins <laura@blighty.com> does not match the DKIM domain blighty.com. Be careful with this message as the sender may be spoofing the From header identity. " class=“wp-image-17149” srcset="/2025/03/google-and-alignment-update/image-4.png 1668w, /2025/03/google-and-alignment-update/image-4-300x60.png 300w, /2025/03/google-and-alignment-update/image-4-450x90.png 450w, /2025/03/google-and-alignment-update/image-4-150x30.png 150w, /2025/03/google-and-alignment-update/image-4-768x154.png 768w, /2025/03/google-and-alignment-update/image-4-1536x308.png 1536w, /2025/03/google-and-alignment-update/image-4-720x144.png 720w, /2025/03/google-and-alignment-update/image-4-580x116.png 580w, /2025/03/google-and-alignment-update/image-4-320x64.png 320w" sizes=“auto, (max-width: 1668px) 100vw, 1668px”/></figure></p>
<p>Clearly the domains do match and the message is aligned. However, there is no DMARC record published for blighty.com. </p>
<p>My speculation is that the alignment message is generated from the Authentication-Results header.  When you pull up “show original” google grovels through the “Authentication-Results” header to populate all of the special fields. If there is a DMARC=pass stamped in that header field Google reports “Pass”.  If there’s not a DMARC=pass in the header field, Google looks for the DKIM d= value and the From header and puts those tokens into the Alignment message. </p>
<p>What appears to be happening here is that Google only reports alignment in the Authentication-Results header if there is DMARC record published in DNS. If there is no record, they don’t report DMARC=Pass and therefore the default Alignment message shows up with the domain names. </p>
<p>We can look at the raw headers and see all of this happening in the messages – ones with the incorrect Alignment message don’t have a DMARC=pass stamped in the headers. </p>
<p>I kinda want to talk about how Google isn’t using SPF here but every time I start that paragraph my science brain kicks in and goes “but you need to test that first”. Right now we can say that our tests show that a SPF pass with DKIM unaligned (but passing) is enough to get “Alignment=Pass” if you have a DMARC record but not if you don’t.  I can’t help wondering if you get a DMARC=pass with DKIM but not SPF if you still get a warning. I don’t easily have a way to send mail that fails SPF but passes DKIM so I can’t do the tests I want, nor am I sure if I could that it would give us more insight into Google’s inner workings.</p>
<p>I can say I’m extremely pleased that our brand new mailserver in IPv6 space is successfully sending mail to Google and reaching the inbox even after just a few messages. It’s nice to know small mailservers can still work for small senders without a penalty from the big mailbox providers. </p>

          </div>
          <div class=

Related Posts

Google, Alignment and DMARC

Google has been making a number of changes to their systems over the last few weeks. Folks are seeing a lot of changes in Google postmaster tools and they’re seeing changes in how Google is displaying headers in the “show original” tab.

Read More

Yahoogle Requirements Update

Since I wrote about it last month the requirements for bulk senders to Yahoo and Google have changed a little.

Read More

Gmail Program for Election Mail

A few months ago, Google made a splash in the political press and the email marketing space when they asked the FEC the following question:

Read More