Why does Aboutmy.email show no DKIM signature but other tools validate DKIM? How do SPF alignment and DMARC work?
Michael Ko
Co-founder & CEO, Suped
Published 25 Apr 2025
Updated 17 Aug 2025
7 min read
It can be confusing when different tools provide conflicting information about your email authentication. You might use a tool like Aboutmy.email and see no DKIM signature, yet other DKIM-specific tools confirm your record is valid. This discrepancy often leads to questions about how SPF alignment and DMARC truly operate and what constitutes a DMARC pass or fail.
Understanding these differences is crucial for effective email deliverability and to ensure your messages reach the inbox, rather than landing in spam or being rejected. Let's explore the nuances of email authentication to clarify why this happens and how these protocols work together.
The core of the confusion often lies in what each tool is actually checking. Many DKIM validation tools primarily verify if your public DKIM record is correctly published in your DNS. They check if the DNS TXT record exists for your DKIM selector and if its value is valid.
However, Aboutmy.email operates differently. It analyzes the actual email that you send, examining its headers to see if a DKIM-Signature header is present. If your mail system or Email Service Provider (ESP) is not signing the outgoing mail with DKIM, then Aboutmy.email will correctly report no DKIM signature, even if your DNS record is perfectly set up. This is a common issue that impacts DKIM verification.
This distinction highlights the importance of checking the email in transit. A valid DNS record is a necessary first step, but the actual signing of the email by your sending infrastructure is equally crucial. If your emails are not being signed, they will lack a valid DKIM signature, potentially leading to deliverability issues even if your DNS configuration appears correct.
DNS record vs. actual signing
Most DKIM validation tools confirm if your public key is published in DNS. Aboutmy.email checks if the DKIM-Signature header is actually present in the sent email.
A valid DNS record does not guarantee that your emails are being DKIM-signed by your sending service. You need both to achieve proper DKIM authentication.
How SPF alignment works
Sender Policy Framework (SPF) is an email authentication method designed to detect sender address forgery. It allows a domain owner to specify which mail servers are authorized to send email on behalf of their domain. Recipients then check this record to verify the sender's legitimacy.
SPF by itself doesn't have an inherent concept of alignment. It simply checks if the IP address of the sending server is authorized by the domain found in the Mail From (or Return-Path) header. SPF alignment, however, is a concept introduced by DMARC. It requires that the domain in the Mail From header aligns with the domain in the From header (the one users see). This alignment is critical for DMARC to pass SPF authentication, as discussed in SPF alignment failures.
There are two types of alignment modes for SPF under DMARC: strict and relaxed. In strict alignment, the Mail From domain must exactly match the From domain. For relaxed alignment, they only need to share the same organizational domain, meaning a subdomain of your primary domain will also align. For example, e.companyname.com and bounce.companyname.com would align under relaxed mode because they both belong to the companyname.com organizational domain. You can learn more about this on organizational domains.
Many email senders configure their SPF using the relaxed alignment mode, which provides more flexibility. This is often necessary when using third-party email service providers (ESPs) that send mail from their own subdomains, preventing SPF misalignment. Understanding how relaxed alignment works can clarify why your SPF is passing even with different subdomains.
Strict alignment
Requirement: The Mail From (Return-Path) domain must exactly match the From header domain.
Example: If From: example.com, then Mail From must be example.com.
Use case: Typically used for domains that send mail directly or have very tight control over their sending infrastructure.
Relaxed alignment
Requirement: The Mail From domain and From header domain must share the same organizational domain.
Example: If From: example.com, then Mail From could be mail.example.com or example.com.
Use case: Common for senders using ESPs, where the Mail From domain might be a subdomain provided by the ESP.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the third and most advanced layer of email authentication, building upon SPF and DKIM. Its primary role is to tell receiving mail servers what to do with emails that fail SPF or DKIM alignment checks, helping to prevent email spoofing and phishing attacks.
For an email to pass DMARC authentication, at least one of SPF or DKIM must pass and align with the From header domain. If an email has a valid SPF pass and the Mail From domain aligns with the From header (even in relaxed mode), DMARC will pass, regardless of the DKIM status. Conversely, if DKIM is present, valid, and aligns, DMARC will pass even if SPF fails. This means the absence of DKIM alone does not necessarily lead to a DMARC failure, if SPF is passing and aligning.
DMARC policies (p=none, p=quarantine, p=reject) dictate how recipients should handle emails that fail authentication. A p=none policy monitors authentication failures without taking action, providing valuable insights. Moving to p=quarantine or p=reject can significantly enhance security and prevent brand abuse, but requires careful implementation to avoid legitimate emails being blocked. Understanding how DMARC works and its various policies is key to successful deployment.
When DMARC authentications fail consistently, it can lead to your emails being marked as spam or rejected outright by receiving servers, impacting your overall email deliverability. This can also result in your domain or IP being placed on a blocklist (or blacklist), which further hurts your sending reputation. It’s important to understand how email blocklists work to mitigate these risks.
Protocol
What it checks
Role in DMARC alignment
SPF
Authorizes sending IP addresses based on the Mail From domain.
Checks if the Mail From domain aligns with the From header (strict or relaxed).
DKIM
Verifies email content integrity and sender identity using cryptographic signatures.
Checks if the domain in the DKIM signature (d=tag) aligns with the From header (strict or relaxed).
DMARC
Specifies policies for handling emails that fail SPF or DKIM alignment.
Passes if SPF or DKIM (or both) pass authentication AND align with the From header.
Troubleshooting common authentication issues
When troubleshooting email authentication, always start by examining the full email headers of a message. Tools that provide raw header analysis, like Aboutmy.email, are invaluable because they show you exactly what authentication results (SPF, DKIM, DMARC) were recorded when the email was received.
If you've confirmed your DNS records are correct but DKIM signatures are missing from outgoing mail, the next step is typically to contact your Email Service Provider (ESP). Email sending platforms are responsible for signing your emails with DKIM. They might have a specific setting you need to enable or a configuration step you've missed on their end.
For SPF and DMARC alignment issues, ensure your Mail From domain is either identical to or a subdomain of your From domain. Review your DMARC record to ensure the alignment mode (relaxed or strict) is appropriate for your sending patterns. Regularly monitoring your DMARC reports can provide valuable data on how your emails are being authenticated by various receivers.
Key troubleshooting steps
Verify headers: Always inspect the raw email headers for the definitive authentication results for SPF, DKIM, and DMARC.
Contact ESP: If DKIM signatures are missing, confirm with your Email Service Provider that email signing is enabled.
Check alignment: Ensure your Mail From and DKIM domains align with your From header based on your DMARC policy.
Monitor DMARC reports: Use DMARC aggregate and forensic reports to identify authentication failures.
Views from the trenches
Best practices
Always check the actual email headers of a sent message for the definitive authentication results.
Work closely with your Email Service Provider to ensure proper DKIM signing and SPF configuration.
Gradually implement DMARC policies (p=none to p=quarantine to p=reject) to avoid blocking legitimate emails.
Regularly review DMARC reports to identify authentication issues and potential abuse of your domain.
Ensure consistency between your 'From' header, 'Mail From' domain, and DKIM signing domain for alignment.
Common pitfalls
Relying solely on DNS-based DKIM validation tools without checking actual email headers for the signature.
Misunderstanding SPF's lack of inherent alignment, leading to confusion about DMARC SPF alignment.
Implementing a strict DMARC policy (p=reject) too quickly without sufficient monitoring and alignment.
Ignoring DMARC reports, thus missing critical insights into email authentication failures and spoofing attempts.
Assuming that if DKIM DNS records are present, the emails are automatically being signed by the sending system.
Expert tips
Confirm that your Email Service Provider (ESP) is actively signing your outbound emails with DKIM.
Understand the difference between strict and relaxed DMARC alignment for both SPF and DKIM.
Leverage DMARC aggregate reports to gain a comprehensive overview of your email authentication status.
Address any SPF `TempError` in DMARC reports to ensure consistent SPF validation.
Ensure that your 'Mail From' domain aligns with your 'From' domain under your DMARC policy.
Marketer view
Marketer from Email Geeks says they ran into an issue where Aboutmy.email reported no DKIM signature even though other tools validated the record, which led to confusion.
2024-05-15 - Email Geeks
Expert view
Expert from Email Geeks says many DKIM tools only check what you tell them via DNS, while Aboutmy.email inspects the actual email to see if a DKIM-Signature header is present. If it's missing, the mail system isn't signing the mail.
2024-05-16 - Email Geeks
Ensuring robust email authentication
The key takeaway is that understanding email authentication goes beyond merely checking DNS records. It requires verifying the actual email headers to ensure that SPF and DKIM are not just configured, but actively passing and aligning with your From domain under DMARC.
By proactively monitoring your email authentication, troubleshooting any discrepancies between tools and actual email headers, and correctly configuring SPF, DKIM, and DMARC, you can significantly improve your email deliverability and protect your domain's reputation.
