Skip to main content
MailCub Logo Image
Guidelines

DKIM Alignment Explained: Why It Impacts Inbox Placement

By MailCub TeamFeb 24, 20268 min read

Back to Blog

Introduction

You can have DKIM passing and still see emails land in spam or trigger authentication warnings because DKIM alignment is a separate check from DKIM itself. DKIM verifies that the signature is valid, but alignment checks whether the DKIM signing domain (d=) matches or properly relates to the domain users see in the From header.

This matters because DMARC uses alignment to connect authentication results to your visible brand domain. If DKIM passes but is not aligned, DMARC can fail, and mailbox providers may treat your identity as less trustworthy.

This guide is written for SaaS and development teams sending transactional email. It covers strict vs relaxed alignment, how to check alignment in headers, and how to fix common setups safely without guessing in production. To validate your domain setup before testing, you can review the Mailcub documentation.

Quick Answer

  • DKIM alignment means the DKIM signing domain (d=) aligns with the visible From domain.
  • DMARC requires alignment, so DKIM pass alone does not help if d= does not align with From.
  • Relaxed alignment usually allows subdomains under the same organizational domain, while strict alignment requires an exact match.
  • You can check alignment in the email headers and compare it with provider logs or events.
  • Fix alignment by signing DKIM with your From domain or an aligned subdomain, then retest after DNS changes.

Why DKIM Alignment Matters

Authentication is a trust signal. DMARC ties authentication back to the domain users recognize, and alignment is the link that makes this connection work.

When DKIM alignment is broken, you may see issues like:

  • DKIM = pass but DMARC = fail
  • Inbox placement changes after switching providers
  • Confusing debugging where DKIM looks correct but policy still fails

For transactional email, these issues can affect important messages like OTPs, password resets, receipts, and security alerts.

DKIM Alignment Explained in Plain English

DKIM adds a cryptographic signature to your email. Receiving servers validate that signature using a public key stored in DNS.

Alignment is the next step. It checks whether the DKIM signing domain (d=) matches or aligns with the domain in the From header. If it does not align, DMARC may not count that DKIM pass.

DKIM Alignment and DMARC (Strict vs Relaxed)

DMARC supports two DKIM alignment modes:

  • Relaxed (adkim=r): organizational-domain alignment (subdomains are often acceptable)
  • Strict (adkim=s): exact match required

Example:

  • From: example.com
  • DKIM d=: provider-mail.com

In this case, DKIM may pass, but DKIM alignment fails. DMARC may also fail unless SPF passes and aligns instead.

Step-by-Step Solution

Step 1: Write down your exact From domain

Be exact when checking alignment because small differences matter:

  • From: security@example.com → From domain is example.com
  • From: security@tx.example.com → From domain is tx.example.com

Even a subdomain change can affect alignment behavior.

Step 2: Extract the DKIM signing domain (d=) from headers

Open the full email headers and find the DKIM-Signature line. Look for the d= value:

  • DKIM-Signature: ... d=...

That d= value is the domain receivers use for DKIM alignment checks.

Step 3: Decide which alignment mode you are targeting

If you are using a transactional subdomain strategy like tx.example.com, relaxed alignment is usually easier to operate. Strict alignment is fine too, but it is less forgiving.

Rule of thumb:

  • If you want strict alignment, keep From and d= exactly the same.
  • If you want relaxed alignment, keep From and d= under the same organizational domain.

Step 4: Fix DKIM alignment by signing with your domain identity

Good alignment patterns include:

  • From: tx.example.com and DKIM d=: tx.example.com
  • From: example.com and DKIM d=: example.com

If your provider signs only with its own platform domain, you will need custom DKIM support so the d= domain reflects your identity.

Mailcub’s setup documentation covers DNS configuration, including DKIM, during domain setup. You can use the documentation page to confirm the correct records.

Step 5: Retest and confirm DMARC outcome

After making changes, do not stop at “DKIM pass.” Run a controlled test and verify the full result:

  • Send a controlled test email
  • Re-check headers for DKIM, SPF, and DMARC
  • Confirm alignment, not just signature validity

DNS propagation can take time, and the provided content notes that MailCub docs mention up to 48 hours. If you are testing your sending workflow, you can use the Transactional Email product to validate results safely.

Step 6: Add monitoring so failures are visible

Use logs and events so user reports can be traced back to real message outcomes. Track:

  • Status (delivered, bounced, deferred)
  • Timestamps and error reasons
  • Message identifiers for traceability

The transactional email product page highlights real-time event tracking and webhook support, which helps connect authentication issues to actual delivery outcomes. If you are planning rollout or comparing options, you can also review the Mailcub pricing page.

DKIM Pass vs DKIM Aligned (What It Changes)

Result What it means Why you care
DKIM pass only Signature valid, but d= may not align with From DMARC can still fail, and identity trust is weaker
DKIM pass + aligned Signature valid and d= aligns with From DMARC can pass via DKIM with a clearer brand identity
DKIM fail Signature missing or invalid Higher spam or reject risk, especially with enforcement

Common Mistakes

  • Signing DKIM with a provider domain that does not align with your From domain
  • Moving the From address to a subdomain but not updating DKIM signing to match
  • Using strict alignment before confirming all production From identities
  • Assuming DKIM pass automatically means DMARC pass
  • Troubleshooting only from inbox placement instead of checking headers and logs

Troubleshooting

Problem: DMARC fails but DKIM passes

This is a classic alignment issue.

Check in this order:

  • Confirm the From domain
  • Confirm the DKIM d= domain
  • Compare both against your alignment mode (strict or relaxed)
  • Update DKIM signing to an aligned domain and retest

Problem: Alignment broke after switching providers

Provider changes often affect DKIM signing behavior.

Fix it by:

  • Making sure the new provider signs DKIM with your domain or subdomain
  • Verifying DNS records were added correctly
  • Retesting after DNS propagation completes

FAQ

What is DKIM alignment?

DKIM alignment means the DKIM signing domain (the d= value in the DKIM-Signature header) aligns with the domain in the visible From header so DMARC can associate authentication with your brand domain.

What’s the difference between DKIM pass and DKIM aligned?

DKIM pass means the signature validated. DKIM aligned means the signing domain also aligns with the From domain under DMARC rules, which is often required for DMARC to pass via DKIM.

Does DMARC require DKIM alignment?

DMARC requires identifier alignment. At least one of SPF or DKIM must both pass and align with the From domain for the message to pass DMARC.

What is strict vs relaxed DKIM alignment (adkim=s vs adkim=r)?

Relaxed alignment generally allows organizational-domain matches, often including subdomains. Strict alignment requires an exact match between the From domain and the DKIM signing domain.

How do I check DKIM alignment in an email header?

Open the full headers, find the From domain and the DKIM-Signature d= domain, then compare them. If they match or align under your DMARC mode, DKIM is aligned.

Why did inbox placement change after switching email providers?

Switching providers often changes DKIM signing behavior. If DKIM or SPF no longer aligns with the From domain, DMARC can fail and filtering may become stricter.

Conclusion

DKIM alignment is what makes “DKIM passed” meaningful for your visible From domain under DMARC. When d= does not align, DMARC can fail and you end up debugging symptoms instead of identity.

The safest approach is to match DKIM signing to your From identity, retest after DNS propagation, and use logs or events so every investigation is backed by evidence. You can use the Mailcub docs to verify setup, test with the Transactional Email product, and review the pricing page if needed.

Tags:
DKIM alignmentDMARC alignmentDKIM signatureadkimFrom domainemail authenticationinbox placementdeliverability troubleshootingtransactional emailDKIM headersDMARC troubleshooting

You Might Also Like

How to Check Your Email Sending Reputation for Better Deliverability

Your email sending reputation is like your credit score—better reputation means higher inbox delivery. Learn top tools and techniques, including Google Postmaster, SenderScore, MXToolbox, and MailCub’s built-in dashboard, to monitor and improve your sender reputation.

Knowledge Base5 min read

Send Marketing and Transactional Emails Together Safely

You can send marketing and transactional emails together, but the safest setup is to separate them into two subdomains and manage each stream with clear rules. This guide explains authentication, unsubscribe vs suppression logic, warm-up steps, monitoring, and troubleshooting so your critical emails stay reliable.

Guidelines8 min read

How to Design Verification Emails That Users Trust

Verification emails are a key trust moment right after signup, and small design mistakes can reduce completions fast. This guide shows SaaS and dev teams how to design verification emails users trust with clear sender identity, safe links, one CTA, fallbacks, and tracking for delivered vs verified.

Guidelines8 min read