Summary
When an Authentication-Results header shows a DKIM pass and a DomainKeys fail, it indicates that the email likely passed DKIM verification, confirming its source and integrity. DomainKeys failure is common due to its obsolescence or misconfiguration, and is often safe to ignore. OpenDKIM may not always handle certain Microsoft emails correctly. Email professionals recommend focusing on DKIM setup and DKIM alignment, while understanding that DomainKeys is deprecated.
Key findings
- DKIM Pass is Primary: A DKIM pass signifies that the email is likely authentic and hasn't been altered.
- DomainKeys is Outdated: DomainKeys is deprecated, less reliable, or not properly configured.
- Authentication-Results Defined: The Authentication-Results header reports the outcome of various email authentication checks.
- OpenDKIM and MS Emails: Older OpenDKIM versions may struggle with some Microsoft emails.
Key considerations
- Focus on DKIM Configuration: Prioritize DKIM setup and alignment for deliverability.
- Ignore DomainKeys Failures: Treat DomainKeys failures as largely insignificant.
- Message Alterations: Consider that DomainKeys failures may be due to message alterations during transit.
What email marketers say
9 marketer opinions
When a DKIM check passes and a DomainKeys check fails in an Authentication Results Header, it generally indicates that DKIM, the more modern and reliable authentication method, has successfully verified the sender's signature. The DomainKeys failure is often due to the method's obsolescence, misconfiguration, or the message being altered in transit. Experts recommend prioritizing DKIM configuration and treating DomainKeys failures as less significant or ignorable.
Key opinions
- DKIM Priority: DKIM pass is more important; it's the current standard.
- DomainKeys Obsolete: DomainKeys is old and often unconfigured.
- Message Alteration: DomainKeys failure may indicate message alteration.
- Authentication Results: Authentication-Results header reports email authentication checks.
Key considerations
- Check DKIM Setup: Ensure DKIM is correctly configured and aligned.
- Ignore DomainKeys: DomainKeys failures can usually be ignored.
- Mailing Lists: Be aware that mailing lists may alter messages, causing DomainKeys to fail.
Marketer view
Email marketer from EmailProviderHelp states that a DomainKeys failure alongside a DKIM pass suggests that the server has not configured DomainKeys, or the configuration is out of date. Ensure DKIM is correct as that is more important for authentication.
12 Dec 2023 - EmailProviderHelp
Marketer view
Email marketer from StackExchange explains that if DKIM passes but DomainKeys fails, it's likely because the recipient server supports both but the message only fully conforms to DKIM. Also, DomainKeys is older and less reliable. The email might still be considered legitimate due to the DKIM pass.
26 Mar 2023 - StackExchange
What the experts say
6 expert opinions
An Authentication-Results header contains information about email authentication checks, including DKIM and DomainKeys. A DKIM pass with a DomainKeys failure suggests that the email is likely authentic due to successful DKIM verification. DomainKeys failure can stem from obsolescence, misconfiguration, or message alteration. Some older OpenDKIM versions may struggle with certain emails, potentially due to Microsoft emitting invalid emails. DKIM alignment should be prioritized for better deliverability.
Key opinions
- DKIM Pass is Key: A passing DKIM result indicates the email is likely authentic.
- DomainKeys Failure: DomainKeys failure is common and often ignorable due to its age.
- OpenDKIM Issues: Older OpenDKIM versions might have issues with some emails, possibly from Microsoft.
- Authentication-Results Header: This header contains details of authentication checks like DKIM and DomainKeys.
Key considerations
- Prioritize DKIM: Focus on ensuring DKIM is properly configured for good deliverability.
- DomainKeys Obsolescence: Recognize that DomainKeys is outdated and might not be relevant.
- Microsoft Emails: Be aware of potential issues with certain Microsoft emails and OpenDKIM.
Expert view
Expert from Word to the Wise details that The Authentication-Results header shows each authentication check performed on an email. A DKIM pass and DomainKeys fail implies that DKIM successfully verified the sender, while DomainKeys either failed or wasn't present. This is not uncommon, and DKIM takes precedence.
19 May 2022 - Word to the Wise
Expert view
Expert from Email Geeks explains that amavis and openDKIM both do authentication results headers. She also notes that OpenDKIM doesn’t check domainkeys.
18 May 2024 - Email Geeks
What the documentation says
5 technical articles
An Authentication-Results header, as defined in RFC specifications and explained by email authentication resources like Valimail, DMARC.org, and OpenDKIM, reports on various email authentication checks such as SPF, DKIM, and DMARC. When DKIM passes and DomainKeys fails, it signifies that the DKIM signature is valid and the message's integrity and source are verified, even across multiple servers. The DomainKeys failure usually stems from its deprecation, lack of implementation, or message alterations during transit. DKIM is the preferred standard.
Key findings
- Header Reports Authentication: The Authentication-Results header shows the results of DKIM, SPF, and DMARC checks.
- DKIM Validates Source: A DKIM pass confirms the message's source and integrity.
- DomainKeys Deprecated: DomainKeys is no longer a preferred or widely used standard.
- Transit Changes Impact DomainKeys: DomainKeys failure is often due to message changes in transit.
Key considerations
- Prioritize DKIM Setup: Focus on ensuring DKIM is properly configured and working.
- Understand Header Details: Review the Authentication-Results header to understand authentication outcomes.
- DomainKeys Irrelevance: Treat DomainKeys failures as largely irrelevant in modern email authentication.
Technical article
Documentation from Valimail explains that an Authentication-Results header includes details about SPF, DKIM, and DMARC checks. A DKIM pass combined with a DomainKeys fail suggests the DKIM signature is valid, but DomainKeys either failed verification or wasn't implemented.
1 Aug 2021 - Valimail
Technical article
Documentation from RFC Editor (RFC4871) explains that DKIM provides a mechanism for verifying the source and integrity of email messages, even if the message passes through multiple servers. If DKIM passes, it confirms that the message hasn't been altered since it was signed by the sender.
28 Jun 2024 - RFC Editor
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
How can a phishing email pass SPF and DKIM authentication checks?
How can I troubleshoot DMARC failures and identify the cause of authentication issues?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
If DMARC passes but SPF fails, what are the concerns and impacts on email deliverability?
What are SPF, DKIM, and DMARC, and when are they needed?
