Emails sent from Amazon SES sometimes (rarely) fail DKIM

0

We're using Amazon SES to send email messages with Easy DKIM to sign emails automatically. We've published our DMARC policy with Cloudflare. It includes p=reject option.

We're using a DMARC analyzer service to analyze DMARC reports. We noticed that a small percent of all emails fail DKIM and DMARC, for unknown reasons.

For example, in the last 3 months, we sent 18,083 emails using Amazon SES. 16 of those emails failed DKIM verification.

It might be interesting to note that those 16 emails were sent from different Amazon SES IP addresses. For example a single IP address sent 646 emails in the last 3 months. 2 of those failed DKIM verification.

Out of those 16 failures, 9 were reported by Google and 7 by Enterprise Outlook.

Also, we had the most reports on March 26 (8 failures) with 1 or 2 failures on March 4th, 18th and 25th, April 12th and 18th and May 3rd.

So the only possible clue we have so far is a bit higher number of failures on March 26th, which could be accidental.

What could be the reason for these failures? Where can we look further? As far as we're aware, this is not a configuration issue, but we're stuck at the moment.

asked 8 months ago207 views
1 Answer
0

Typically, DKIM failures appearing in DMARC reports are due to messages being forwarded from the original recipient (e.g. an alias expansion, or mailing list) and then on to a final recipient or set of recipients.

A quality DMARC analysis service should help you detect this scenario through patterns in SPF domain misalignment. For example, if all of the messages are originating from SES, you may see all of the failures occurring from messages sent from Office 365's SPF zone.

Forwarding servers can fix this by rewriting the From address using a domain they own DNS and can apply their own domain-aligned DKIM signature.

Domain owners who cannot tolerate messages failing delivery due to a prevalence of forwarding should not publish a 'reject' or 'quarantine' policy.

AWS
answered 8 months ago
  • Thank you for answering, Jesse_T. However, forwarding is not the issue here. We have forwarded emails reported separately. For these emails, DKIM verification passes, SPF is not aligned, but DMARC passes.

    The problem with emails that I mentioned in my question is that they actually fail DKIM. I don't think they are forwarded.

  • If you can find specific example messages that have failing DKIM signatures, please open a support case and share the specific message-ids

  • Thank you for your answer, Jesse_T. We just received a report for a failing DKIM (and DMARC) from June 13. However, DMARC reports don't include message IDs. Am I wrong about this?

    Is there some other way I can obtain a message ID? Thank you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions