PowerMTA DKIM, SPF & Alignment Checklist — DMARC Compliance

Configuring SPF and DKIM is not enough to pass modern email authentication. Mailbox providers now require alignment — a strict relationship between authentication results and the visible sender domain.

In PowerMTA environments, misalignment is one of the most common causes of DMARC failures, spam placement, and silent message rejection.

This article provides a practical DKIM/SPF alignment checklist specifically for PowerMTA operators who want consistent DMARC pass rates and long-term inbox trust.

What Alignment Really Means

Alignment answers a critical trust question:

Does the authenticated sending domain match the visible “From” domain?

DMARC does not care if SPF or DKIM passes in isolation. It only passes when at least one mechanism aligns. More details are covered in the DKIM/SPF alignment guide .

• SPF aligns with the envelope sender (Return-Path)
• DKIM aligns with the signing domain (d=)
• Both are compared to the visible From domain

SPF Alignment in PowerMTA

How SPF Is Evaluated

SPF checks the IP address against the domain used in the SMTP MAIL FROM (Return-Path). A complete SPF setup flow is documented in the PowerMTA SPF alignment checklist .

SPF Alignment Modes

PowerMTA SPF Checklist

• MAIL FROM domain is owned by the sender
• SPF record includes all sending IPs
• No more than 10 DNS lookups
• Ends with -all or ~all

v=spf1 ip4:203.0.113.10 include:_spf.provider.com -all

DKIM Alignment in PowerMTA

How DKIM Is Evaluated

DKIM validates message integrity and domain authenticity using cryptographic signatures. The alignment logic is explained in detail in the PowerMTA DKIM alignment guide .

The critical alignment element is the d= value inside the DKIM signature.

DKIM Alignment Modes

• Relaxed: Organizational domain match
• Strict: Exact domain match

PowerMTA DKIM Checklist

• DKIM signing enabled per virtual MTA
• Signing domain matches From domain
• 2048-bit keys for major providers
• Keys rotated periodically

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=pmta1;

DMARC Policy and Alignment Enforcement

DMARC ties everything together by enforcing alignment rules and defining failure behavior. A full enforcement model is described in the DMARC compliance guide for PowerMTA .

v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:dmarc@example.com

Common Alignment Failures

• Using third-party Return-Path domains
• DKIM signing with a different domain
• Multiple From domains sharing one DKIM key
• Incorrect organizational domain assumptions

In PowerMTA, these issues often appear as DMARC failures despite SPF and DKIM showing “pass”. Most of these scenarios are covered in the alignment troubleshooting section .

Monitoring Alignment with DMARC Reports

DMARC aggregate reports provide visibility into real-world alignment performance. Proper report interpretation is explained in the PowerMTA DMARC monitoring guide .

• Track pass/fail by domain
• Identify misaligned traffic sources
• Validate PowerMTA configuration changes

Final Checklist Summary

• From domain matches DKIM signing domain
• Return-Path domain aligns with SPF
• DMARC policy defined and enforced
• Alignment mode chosen intentionally
• Reports reviewed regularly

Final Thoughts

DKIM and SPF alignment is no longer optional. It is the foundation of sender identity and brand protection.

When properly aligned, PowerMTA becomes a trusted sender rather than a tolerated one. Start with the complete PowerMTA alignment checklist .