Why does Aboutmy.email show no DKIM signature but other tools validate DKIM? How do SPF alignment and DMARC work?

Key findings

• Tool differences: Some DKIM validation tools only check for the presence of the DKIM public key in DNS, while others (like Aboutmy.email) analyze the email headers of actual sent messages to confirm a DKIM-Signature.
• Missing DKIM-Signature header: If a DKIM record exists in DNS but no DKIM-Signature header is present in sent emails, it indicates that the mail system (often the ESP) is not signing the outgoing mail.
• DMARC alignment: DMARC requires either SPF or DKIM to align with the From: header domain. Even if DKIM is missing, DMARC can still pass if SPF passes alignment.
• Relaxed vs. strict alignment: DMARC defines 'strict' alignment (exact domain match) and 'relaxed' alignment (organizational domain match). Relaxed alignment allows subdomains to align with the main domain.
• Organizational domain concept: Multiple hostnames (e.g., bounce.example.com and e.example.com) can share the same organizational domain (e.g., example.com), enabling SPF alignment under a relaxed DMARC policy.

Key considerations

• Verify email signing: Always ensure your ESP or mail system is configured to actively sign outgoing emails with DKIM, not just that the public key is published in DNS.
• Understand alignment modes: Be aware of the difference between DMARC's strict and relaxed alignment modes. Relaxed alignment is more common and less prone to breaking due to subdomain use.
• Check mail From: and Return-Path: domains: For SPF alignment, the domain in the Return-Path (Mail From) header must align with the domain in the From: header. For DKIM, the d= domain in the DKIM-Signature must align with the From: header domain.
• Leverage DMARC reports: Use DMARC aggregate reports to monitor authentication results and identify issues like missing DKIM signatures or SPF misalignment. They are crucial for understanding your email deliverability.

Key opinions

• Aboutmy.email's usefulness: Marketers appreciate Aboutmy.email for its ability to analyze actual sent mail, providing a realistic view of authentication status compared to DNS-only checks.
• DKIM signing confusion: A common point of confusion is differentiating between having a DKIM public key published in DNS and ensuring the ESP is actively signing outgoing emails.
• SPF alignment misconceptions: Many marketers mistakenly believe the 'Mail From' (Return-Path) domain needs to exactly match the 'Friendly From' domain for SPF alignment, rather than understanding the concept of organizational domain matching.
• DMARC passing conditions: There's a desire to understand why DMARC can still pass even if one authentication method (like DKIM) is missing, highlighting the importance of SPF alignment.

Key considerations

• Engage your ESP: If DKIM records are published but emails aren't signed, the next step is to contact your Email Service Provider to ensure they're signing your mail. This is a common issue for Mailchimp users among others.
• Familiarize with alignment types: Understand the difference between strict and relaxed DMARC alignment to predict how different 'From' and 'Mail From' domain configurations will affect your email authentication results. See our guide on relaxed domain alignment.
• Test with real emails: Always test your email authentication by sending actual emails and examining their headers, rather than relying solely on DNS checkers.
• Monitor DMARC reports: Regularly review DMARC reports to identify authentication issues, even if emails appear to be delivering successfully. This helps prevent future inbox placement problems and offers insight into why emails go to spam.

Key opinions

• Tool validation differences: Many DKIM tools validate public keys in DNS based on user input, while more comprehensive tools like Aboutmy.email inspect the actual email stream for the presence of a DKIM-Signature header.
• Unsigned emails: A common cause for a missing DKIM signature in email headers, despite a valid DNS record, is that the mail system (or ESP) has not been configured to actually sign the outgoing emails.
• SPF's role in DMARC: SPF itself does not have an 'alignment' concept; it's DMARC that introduces alignment requirements between the SPF-authenticated domain and the From: header domain. This can often lead to SPF passing in headers but not in tools.
• DMARC alignment types: DMARC defines both 'strict' alignment, requiring exact domain matches, and 'relaxed' alignment, which permits subdomains to align with their organizational domain. The latter is far less restrictive and more common.
• Organizational domain importance: Understanding what constitutes an 'organizational domain' is key to comprehending how SPF alignment can pass under a relaxed DMARC policy, even when subdomains differ.

Key considerations

• Diagnose at the header level: Always examine the email headers of actual sent messages to confirm the presence and validity of DKIM-Signature and SPF results, as this reflects how recipients see your mail.
• Push ESPs for signing: If a DKIM record is correctly published but messages are unsigned, communicate with your ESP to ensure they implement proper DKIM signing for your outbound email.
• Educate on DMARC alignment: Clarify that DMARC's alignment rule is crucial for authentication, not SPF itself. This distinction helps explain why emails might still pass DMARC even if one authentication method fails, if DMARC authentication passes via the other.
• Prioritize organizational domain understanding: A deeper understanding of the organizational domain concept is vital for interpreting DMARC reports and configuring authentication for subdomains correctly. More on this is available at Word to the Wise.

Key findings

• DMARC policy definition: Documentation outlines that a DMARC policy allows domain owners to indicate that emails from their domain are protected by SPF and DKIM, and to specify actions for unauthenticated mail.
• SPF and DKIM foundations: RFCs and guides confirm SPF verifies the sending IP against authorized senders, while DKIM uses cryptographic signatures to ensure message integrity and sender authenticity.
• Alignment requirement: DMARC documentation explicitly states the necessity for either SPF or DKIM domains to align with the email's RFC5322.From domain for DMARC to pass.
• Strict vs. relaxed alignment: Technical documentation clarifies 'strict' alignment requires an exact match between domains, whereas 'relaxed' alignment allows for matches at the organizational domain level.
• Impact of misalignment: Some documentation may incorrectly present SPF and DKIM misalignment as DMARC failures, though only one (SPF or DKIM) needs to align for DMARC to pass.

Key considerations

• Implementing DMARC progressively: Documentation recommends starting with a DMARC policy of 'p=none' to monitor traffic before enforcing stricter policies like quarantine or reject.
• Leverage DMARC for discovery: DMARC records can be used to discover all legitimate email sources from a domain, which is crucial for comprehensive authentication setup. More on how DMARC works.
• Address 'no SPF, DKIM, or DMARC' concerns: RFCs imply that emails without proper authentication (SPF, DKIM, DMARC) are at high risk of being treated as spam or rejected, making adherence to these standards vital.
• Understand alignment caveats: Pay close attention to how various tools interpret SPF and DKIM alignment, as some may inaccurately report issues even when DMARC passes correctly. This is particularly relevant for Google Postmaster Tools discrepancies.