Domain Alignment: Difference between revisions
Created page with "Category:Deliverability Category:Authentication '''Domain alignment''' happens when 2 domains align. For example: if the sender domain (RFC5322.From) from an E-Mail matches the envelope-from from the same E-Mail, they align. * '''Strict''' alignment means, the matching domains are exactly the same. * '''Relaxed''' alignment means, the matching domains have the same responsible domain. For example, ''mail.example.com'' and ''bounce.example.com'' would align..." |
No edit summary |
||
Line 48: | Line 48: | ||
The adkim and aspf switches are optional. The default value for adkim and aspf is "r". | The adkim and aspf switches are optional. The default value for adkim and aspf is "r". | ||
=Link- and imagedomains / Sender domains= | |||
None of the examples above touches the E-Mail content. Nonetheless, InboxSys discovered that domain alignment in the content of the message does make a difference. | |||
After multiple A/B tests with [https://inboxsys.com InboxSys], it was discovered, that E-Mail deliverability improves when the image- and linkdomains align to one of the sender domains, RFC5321.MailFrom or RFC5322.From. With SPF identifier alignment, those domains would share the same responsible domain anyway. | |||
==Phishing-like links== | |||
Another example where A/B tests with [https://inboxsys.com InboxSys] revealed new discoveries, is within an HTML link. Here is an example of a [[Phishing Links|phishing-like HTML link]]: | |||
<pre> | |||
<a href="https://inboxsys.com">www.bankofamerica.com</a> | |||
</pre> | |||
If the link text contains any domain, it should be the same link as the link location itself. |
Revision as of 16:50, 31 August 2023
Domain alignment happens when 2 domains align. For example: if the sender domain (RFC5322.From) from an E-Mail matches the envelope-from from the same E-Mail, they align.
- Strict alignment means, the matching domains are exactly the same.
- Relaxed alignment means, the matching domains have the same responsible domain. For example, mail.example.com and bounce.example.com would align relaxed.
Sending IP / Hostname
Each sending IP should resolve recursively to a domain. This domain is the "hostname". Each hostname should resolve to an IP. This IP should be the same sending IP we started from.
Example from Gmail with sending IP 2a00:1450:4864:20::632:
$ host 2a00:1450:4864:20::632 2.3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer mail-ej1-x632.google.com. $ host mail-ej1-x632.google.com mail-ej1-x632.google.com has IPv6 address 2a00:1450:4864:20::632
Hostname / HELO/EHLO
According to RFC 5321, section 4.1.1.1, it's required for hostnames to align with the HELO/EHLO:
The argument field contains the fully-qualified domain name of the SMTP client if one is available.
SPF alignment
SPF aligns when the RFC5321.MailFrom domain matches the RFC5322.From domain. In laymen terms: When the envelope-from domain matches the sender domain.
HELO/EHLO tests
If an incoming message has no envelope-from (RFC5321.MailFrom), SPF falls back to the HELO/EHLO domain. Examples of messages without envelope-from are Delivery Status Notification messages. For his reason, it's recommended to align the HELO/EHLO to the RFC5321.MailFrom.
DKIM alignment
DKIM aligns when the sender domain matches the signing domain. In correct phrasing: when the RFC5322.From domain (also "Agent or User Identifier"), represented in the i-switch, matches the "Signing Domain Identifier", represented in the d-switch.
Alignment in DMARC
DMARC only passes if SPF or DKIM passes with some form of alignment, relaxed or strict. This can be configured in the DMARC DNS TXT record using the following switches:
- aspf: SPF alignment. Options are "s" for "strict" or "r" for "relaxed".
- adkim: SPF alignment. Options are "s" for "strict" or "r" for "relaxed".
The adkim and aspf switches are optional. The default value for adkim and aspf is "r".
Link- and imagedomains / Sender domains
None of the examples above touches the E-Mail content. Nonetheless, InboxSys discovered that domain alignment in the content of the message does make a difference.
After multiple A/B tests with InboxSys, it was discovered, that E-Mail deliverability improves when the image- and linkdomains align to one of the sender domains, RFC5321.MailFrom or RFC5322.From. With SPF identifier alignment, those domains would share the same responsible domain anyway.
Phishing-like links
Another example where A/B tests with InboxSys revealed new discoveries, is within an HTML link. Here is an example of a phishing-like HTML link:
<a href="https://inboxsys.com">www.bankofamerica.com</a>
If the link text contains any domain, it should be the same link as the link location itself.