Summary
DKIM authentication failures can stem from various factors. Security solutions like Barracuda and Proofpoint, often deployed in front of destination domains, may alter email content, impacting DKIM validity. Email forwarding, especially through mailing lists, modifies headers/body, thus invalidating the DKIM signature. Filters should verify DKIM before modifying the email body. Interoperability problems can arise from senders' practices violating protocol standards. Incorrect DNS configurations, character encoding issues, and problems with the DKIM key itself are other potential causes. ARC (Authenticated Received Chain) helps preserve authentication across hops if filters trust the results. DMARC policies are strict with DKIM and SPF alignment. The root cause of these problems need to be understood to ensure the best deliverability.
Key findings
- Security Solutions Interference: Barracuda, Proofpoint, and similar solutions modify email content, invalidating DKIM signatures.
- Forwarding Issues: Email forwarding modifies headers and bodies, breaking DKIM.
- Verification Timing: Filters should verify DKIM before altering the message.
- Interoperability Concerns: Protocols violations, can lead to DKIM failures.
- Configuration Problems: Inaccurate DNS configuration can cause DKIM to fail.
- DMARC Policies: DMARC's stricter adherence leads to messages marked as spam more readily.
- ARC Solution: ARC is a potential solution if filters trust it.
Key considerations
- Whitelist IPs: To preserve alignment, it may be required to whitelist IPs.
- Correct Protocols: Ensure there are no protocol violations.
- Check DNS Settings: Ensure DNS settings are correct for DKIM configuration.
- Adopt ARC: Adopt ARC where possible to preserve signature.
- DMARC Policy: Understand the relationship between DKIM and DMARC to avoid failures.
What email marketers say
11 marketer opinions
DKIM authentication failures can occur for several reasons, particularly when dealing with certain ISPs and receivers like Barracuda and Proofpoint. These failures often stem from modifications made to email content during transit by intermediaries, such as security gateways that alter URLs or add disclaimers. Incorrect DNS configuration, character encoding issues, and problems with the DKIM key itself also contribute. Forwarding emails, especially through mailing lists, can invalidate DKIM signatures due to header or body modifications. While a passing SPF record may sometimes mitigate the impact, it is crucial to ensure both SPF and DKIM pass for optimal deliverability, especially with stricter DMARC policies. Solutions like ARC (Authenticated Received Chain) and whitelisting sender IPs can help address these issues.
Key opinions
- Content Modification: Email security gateways like Proofpoint and Barracuda often modify email content (URLs, disclaimers), invalidating the DKIM signature.
- Indirect Mail Flows: Forwarding through mailing lists modifies headers/body, breaking DKIM signatures.
- DNS Issues: Incorrect DNS configuration is a common cause of DKIM failures.
- Character Encoding: Character encoding problems during transmission can change the message hash, leading to DKIM failures.
- DMARC Impact: Gmail and other major ISPs are stricter with DMARC policies; DKIM failures coupled with SPF misalignment increase the likelihood of spam or blocking.
Key considerations
- Monitor DKIM Reports: Regularly monitor DKIM reports to identify and resolve issues.
- Whitelist IPs: Whitelist sender IPs in security gateways like Proofpoint and Barracuda.
- Implement ARC: Implement ARC (Authenticated Received Chain) to preserve authentication results across multiple hops.
- Check DNS Records: Ensure DNS records are correctly configured for DKIM.
- Ensure SPF and DKIM Pass: Aim for both SPF and DKIM to pass for optimal deliverability, especially with strict DMARC policies.
Marketer view
Email marketer from an Email Marketing Forum explains that sometimes DKIM failures are seen as less important if SPF is passing. However, for maximum deliverability, both SPF and DKIM should pass. They suggest checking DNS records for errors.
7 May 2024 - Email Marketing Forum
Marketer view
Email marketer from Mailhardener shares that ARC (Authenticated Received Chain) is designed to address DKIM failures in forwarding scenarios by preserving authentication results across multiple hops. ARC allows receiving servers to trust the original authentication status even if the DKIM signature is broken by an intermediary.
23 May 2024 - Mailhardener
What the experts say
5 expert opinions
DKIM authentication failures can arise for various reasons, often pointing to underlying deliverability issues. A core principle is that filters should ideally verify DKIM signatures before modifying email bodies. Consistent failures with specific MTAs may signal interoperability problems, where certain sender practices, while acceptable to some, technically violate protocol standards. Email forwarding, particularly via mailing lists, commonly alters headers or bodies, thus invalidating DKIM signatures. Addressing these issues often involves understanding the root cause and working with ESP support. ARC (Authenticated Received Chain) is frequently proposed as a solution to preserve authentication results across multiple email hops, provided that filters reliably trust ARC results.
Key opinions
- Verification Timing: Sensible filters should verify DKIM signatures before modifying the email body.
- Interoperability Issues: Consistent DKIM failures at specific MTAs may point to interoperability problems or protocol violations.
- Forwarding Impact: Email forwarding modifies headers/body, invalidating DKIM signatures.
- ARC Solution: ARC can help preserve authentication results during forwarding, assuming filters trust the results.
- Deliverability Symptom: Authentication failures are often symptoms of larger deliverability problems.
Key considerations
- Investigate Cause: Understand the root cause of DKIM failures and determine if the underlying issue can be resolved.
- Seek ESP Support: Engage with your ESP's support team to troubleshoot DKIM-related problems.
- Trust ARC Results: Ensure that email filters reliably trust ARC results for forwarded messages.
- Address Protocol Violations: Review sending practices to identify and correct any technical protocol violations.
Expert view
Expert from Email Geeks states that any sensible filter should be doing DKIM verification _before_ they modify the body.
26 Aug 2024 - Email Geeks
Expert view
Expert from Email Geeks suggests ARC might be a useful solution to DKIM authentication issues, especially if filters trust the ARC results.
26 Nov 2021 - Email Geeks
What the documentation says
3 technical articles
DKIM authentication failures can occur due to email forwarding, as the modification of message headers or the body by the forwarder invalidates the DKIM signature. ARC (Authenticated Received Chain) is crucial for preserving authentication results across multiple hops. DKIM failures can also lead to DMARC failures if the message doesn't align with SPF or other authentication mechanisms, potentially resulting in email rejection or being marked as spam. Changes made in transit, such as adding disclaimers or converting character encodings, also invalidate the DKIM signature, as outlined in the DKIM standard (RFC6376).
Key findings
- Forwarding Issues: Email forwarding modifies message headers or body, invalidating the DKIM signature.
- DMARC Dependency: DKIM failures can lead to DMARC failures if SPF alignment is missing, potentially resulting in email rejection.
- Transit Modifications: Changes made in transit, such as adding disclaimers or converting character encodings, invalidate the DKIM signature.
- ARC Importance: ARC is important for preserving authentication results across multiple hops, addressing forwarding issues.
Key considerations
- Implement ARC: Implement ARC to ensure authentication validity across forwarding scenarios.
- Ensure SPF Alignment: Ensure proper SPF alignment to mitigate the impact of DKIM failures on DMARC.
- Minimize Transit Changes: Minimize changes made in transit to preserve DKIM signature validity.
- Understand DMARC Policy: Understand how your DMARC policy will handle DKIM failures, especially with strict settings.
Technical article
Documentation from Microsoft Learn explains that DKIM failures can occur due to email forwarding, where the forwarder modifies the message headers or body, invalidating the DKIM signature. It highlights the importance of ARC (Authenticated Received Chain) to preserve authentication results across multiple hops.
20 Oct 2021 - Microsoft Learn
Technical article
Documentation from RFC Editor (RFC6376, the DKIM standard) explains that DKIM signatures can fail verification if the message body or headers are modified in transit. Changes made by intermediaries, such as adding disclaimers or converting character encodings, will invalidate the signature.
24 Sep 2022 - RFC Editor
Can Proofpoint implementation and MX record changes during IP warming affect email deliverability?
How can I contact ProofPoint support to resolve email delivery issues?
How can I resolve Barracuda blocklist issues and improve email deliverability?
How can I resolve email deliverability issues with Proofpoint when emails are not bouncing or going to spam?
How do I contact Proofpoint about IP address listing issues and what information should I provide?
How do Mimecast and Proofpoint scrutinize senders, and what best practices can improve inbox placement beyond whitelisting?
