- Newest
- Most votes
- Most comments
Typically, DKIM failures appearing in DMARC reports are due to messages being forwarded from the original recipient (e.g. an alias expansion, or mailing list) and then on to a final recipient or set of recipients.
A quality DMARC analysis service should help you detect this scenario through patterns in SPF domain misalignment. For example, if all of the messages are originating from SES, you may see all of the failures occurring from messages sent from Office 365's SPF zone.
Forwarding servers can fix this by rewriting the From address using a domain they own DNS and can apply their own domain-aligned DKIM signature.
Domain owners who cannot tolerate messages failing delivery due to a prevalence of forwarding should not publish a 'reject' or 'quarantine' policy.
Relevant content
- asked a year ago
- asked 2 years ago
- Accepted Answerasked a year ago
- asked 9 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thank you for answering, Jesse_T. However, forwarding is not the issue here. We have forwarded emails reported separately. For these emails, DKIM verification passes, SPF is not aligned, but DMARC passes.
The problem with emails that I mentioned in my question is that they actually fail DKIM. I don't think they are forwarded.
If you can find specific example messages that have failing DKIM signatures, please open a support case and share the specific message-ids
Thank you for your answer, Jesse_T. We just received a report for a failing DKIM (and DMARC) from June 13. However, DMARC reports don't include message IDs. Am I wrong about this?
Is there some other way I can obtain a message ID? Thank you.