What does an Authentication Results Header contain when DKIM passes but DomainKeys fail?

Key findings

• Legacy protocol: DomainKeys is an older email authentication protocol that was largely superseded by DKIM. While some systems may still perform DomainKeys checks, its failure is often inconsequential if DKIM passes.
• DKIM priority: DKIM is the modern and actively used standard for verifying email authenticity and integrity. A passing DKIM result signifies that the email has not been tampered with since it left the sender's mail server and that the sender is authorized.
• Canonicalization differences: The reason message has been altered for DomainKeys failure often relates to slight modifications by intermediate mail transfer agents (MTAs) that are handled differently by DomainKeys' stricter canonicalization rules compared to DKIM's more flexible approach. Learn more about how OpenDKIM handles canonicalization.

Key considerations

• Focus on current standards: Prioritize the results for DKIM, SPF, and DMARC. These are the main protocols that influence your email deliverability and inbox placement.
• Understand the Authentication-Results header: This header, as defined by RFC 7601, provides a standardized way for mail receivers to report the results of various authentication checks, including both modern and legacy ones.
• No immediate alarm: If DKIM passes, a DomainKeys failure is usually not a cause for concern and does not indicate a critical deliverability issue.

Key opinions

• Confusion with legacy: Many marketers find the presence of DomainKeys failures alongside DKIM passes confusing and unnecessary, wishing for clearer, more relevant authentication reports.
• Deliverability impact: The primary concern for marketers is how authentication results affect email deliverability rates, not the historical nuances of authentication protocols.
• DMARC alignment focus: Marketers emphasize that DMARC alignment is paramount, which relies on SPF and DKIM passing, making DomainKeys irrelevant.

Key considerations

• Prioritize DMARC reports: Marketers should primarily rely on DMARC aggregate and forensic reports to understand their authentication performance, as these focus on modern standards.
• Simplify debugging: When troubleshooting deliverability issues, marketers should first check SPF and DKIM records, then DMARC, before delving into outdated protocol results.
• Educate teams: It's important to educate marketing and IT teams that a DomainKeys fail when DKIM passes is generally not a critical issue, to avoid unnecessary alarm or time spent debugging non-problems.

Key opinions

• Protocol differences: Experts note that DKIM and DomainKeys, while related, are distinct protocols, and a failure in one does not necessarily invalidate the other's result.
• Software quirks: Authentication software like Amavis and OpenDKIM can behave differently, with some versions having trouble verifying signatures from certain senders, such as Microsoft Office 365, due to canonicalization or other parsing issues. More information about troubleshooting Office 365 DKIM and SPF failures is available.
• Canonicalization is key: The reason for a DomainKeys failure often boils down to subtle differences in how a message's headers or body are canonicalized (prepared for signing and verification) that DKIM tolerates better. Issues with the DKIM body hash mismatch are also common and can be fixed with specific steps.

Key considerations

• System configuration: Ensure your sending system is configured for DKIM correctly, using modern signing practices. If using DomainKeys, it's advised to transition to DKIM.
• Software updates: Keep mail server authentication software updated to ensure compatibility with various sender practices and to minimize parsing errors.
• Ignore legacy: If DKIM passes, the DomainKeys fail is typically ignorable. Focus on DMARC policies and how they interpret your SPF and DKIM results, as these are the crucial factors for inbox delivery.

Key findings

• RFC 7601 defines the header: The Authentication-Results header field is specified in RFC 7601, detailing its syntax and semantics for reporting authentication checks.
• DomainKeys superseded by DKIM: While DomainKeys was an early form of email signing, it has been largely integrated into and superseded by DKIM, which offers enhanced security and flexibility.
• Reason codes for failure: Documentation specifies various reason codes for authentication failures, such as message has been altered, which can indicate differences in canonicalization or transit modifications.

Key considerations

• Consult RFCs: For precise technical details and behavior definitions of email authentication, refer directly to the relevant RFCs (e.g., RFC 6376 for DKIM, RFC 7601 for Authentication-Results).
• Understand canonicalization: Pay attention to the canonicalization methods specified in DKIM (relaxed/simple for header and body) as they directly influence how message alterations affect signature validation.
• Interpret results holistically: Documentation suggests that multiple authentication results may appear in the header, and the overall outcome should be judged based on the most relevant and current protocols, like DMARC, SPF, and DKIM.