DKIM Alignment Child Domain vs Org Domain

Question on alignment.
Most examples I see state that for relaxed alignment state that the The Mail From or Envelope From domain is a subdomain of the From domain for alignment.

e.g. aligns with

The RFC states that:

In relaxed mode, the Organizational Domains of both the [DKIM]-
authenticated signing domain (taken from the value of the “d=” tag in
the signature) and that of the RFC5322.From domain must be equal if
the identifiers are to be considered aligned. In strict mode, only
an exact match between both of the Fully Qualified Domain Names
(FQDNs) is considered to produce Identifier Alignment.

To me that reads that as long as the signing domain and from domain match the organizational/root domain the they align.

Use case, we are looking at a vendor and I am trying to determine if relaxed alignment will work with both our student and staff domains:

DKIM Signing =
student FROM domain =
staff FROM domain =

From my testing using OPENDKIM, it seems like my reading of the RFC is correct, but wanted to see if anyone else had input.

My Test resuts:
spf=none (sender IP is; dkim=pass (signature was verified);dmarc=pass action=none;

Hi southwick,

You are correct that alignment is where the organizational level domain of the SPF or DKIM domain identity matches the organizational level domain of the from: header. The organizational level domain is the first private domain prepending a public suffix. In your case the public suffix being the .edu TLD. Campus would then be the private label, making the org domain.

With that in mind, this is correct.


All three are aligned. Any amount of subdomains also does not matter.

I hope this helps.