How do I fix DMARC failures with OpenAir due to lack of DKIM signing?

Key findings

• Lack of DKIM signing: DMARC failures with OpenAir often stem from the absence of DKIM signatures on outbound emails, preventing domain alignment.
• SPF authentication vs. alignment: While SPF may authenticate on openair.com, DMARC requires SPF to align with the 5322.From (header from) domain, which is typically the client's domain. This misalignment leads to DMARC failing, even if SPF passes.
• Outdated documentation: Finding current and helpful support documentation for DKIM setup specifically for Netsuite or OpenAir can be challenging, with much information being outdated or requiring specific access.
• Sensitive industries: Clients in industries like finance often require a strict p=reject DMARC policy, making correct DKIM alignment even more critical for deliverability and preventing spoofing. For more on DMARC policies, read our guide on how to safely transition your DMARC policy.

Key considerations

• Engage vendor support: If self-service documentation is insufficient, directly contacting OpenAir or Netsuite's technical support team is often necessary to obtain the public DKIM TXT record and ensure proper activation from their end.
• DKIM signing by sender: The ideal solution is for OpenAir to sign emails with your client's domain using DKIM. This ensures DMARC alignment and improved deliverability. See Kinsta's advice on how to fix DMARC failures.
• DMARC policy adjustments (temporary): As a temporary workaround, or if the vendor cannot support custom DKIM signing, consider changing the 5322.From (header from) to a subdomain with a p=none DMARC policy, though this is not a long-term solution for strict compliance.
• Continuous monitoring: Regularly monitor DMARC reports to identify any ongoing authentication or alignment issues, especially when working with third-party sending services.

Key opinions

• Vendor limitations: Many third-party ESPs, including some enterprise platforms, do not automatically support DKIM signing with the client's domain, leading to common DMARC failure points.
• Costly features: Historically, and sometimes currently, features like custom DKIM signing for domain alignment are offered as part of premium or additional 'deliverability' packages by large software vendors.
• Alignment is key: It's crucial to understand that DMARC validates not just authentication (SPF/DKIM pass) but also alignment, meaning the authenticated domain must match the email's From header domain. For more on this, check out eSecurity Planet's article on getting DMARC right.
• Subdomain workaround: A temporary solution some marketers employ is to use a subdomain for sending and set a p=none DMARC policy on that subdomain, reducing the deliverability impact on the main domain.

Key considerations

• Prioritize direct vendor engagement: Marketers should first try to work directly with their third-party sending platform's support to enable proper DKIM signing and SPF alignment for their domain.
• Review authentication status: Regularly check DMARC reports to identify if SPF and DKIM are passing and, more importantly, aligning with your sending domain.
• Understand DMARC policy impact: Be aware that a p=reject policy will cause unauthenticated or misaligned emails to be bounced, potentially leading to lost communications. Learn more about DMARC tags and their meanings.
• Explore alternatives: If a third-party vendor cannot meet DMARC alignment needs for a p=reject policy, marketers may need to explore alternative sending solutions or adjust their email strategy for that specific platform.

Key opinions

• Alignment is paramount: DMARC's effectiveness hinges on the alignment of the domain in the 5322.From header with either the SPF-authenticated domain or the DKIM-signed domain.
• DKIM is often missing: For many third-party sending services, the primary issue is the lack of DKIM signing by the client's domain, leading to DMARC failure even if SPF passes on the service's domain.
• Direct vendor contact: When DMARC failures persist with a third-party sender, the most efficient solution is almost always to contact their technical support directly, as custom DKIM keys need to be provided and activated by them.
• DMARC policy implications: For domains with a p=reject policy, any DMARC failure due to misalignment or missing DKIM means emails will not be delivered, which is especially critical for sensitive communications. You can learn more about best practices for implementing DKIM, SPF, and DMARC.

Key considerations

• Verify SPF and DKIM setup: Before contacting support, ensure your own SPF and DKIM records for your domain are correctly published and configured, as this can sometimes be a contributing factor. Our guide on how to verify DMARC, DKIM, and SPF setup can help.
• Request PTR records: When troubleshooting, providing the PTR (Pointer Record) of outgoing server IPs (e.g., relay.openair.com) can help experts perform general lookups and guide next steps.
• Address invalid DKIM: If DMARC reports show DKIM as 'invalid' or 'fail', it indicates the sending service is either not signing emails, or the keys are misconfigured, requiring their intervention. DuoCircle offers a piece on causes and solutions of DMARC failures.
• Long-term solution: Aim for the vendor to provide a public DKIM TXT record that you can publish, and ensure they activate DKIM signing for your domain on their platform for full DMARC compliance.

Key findings

• DMARC specification: RFC 7489 (DMARC) mandates that for an email to pass DMARC, either the SPF-authenticated domain or the DKIM-signed domain must align with the RFC5322.From header.
• DKIM's role in alignment: When SPF alignment is not possible with a third-party sender (e.g., due to different return-path domains), DKIM signing by the client's domain is the primary method to achieve DMARC compliance.
• Vendor-specific configuration: Oracle NetSuite (parent of OpenAir) documentation often indicates that configuring advanced email authentication like DKIM requires specific settings within their platform, sometimes tied to broader branding or deliverability service packages. Refer to Oracle's Eloqua Email Authentication help.
• Email flow implications: When a third-party service sends emails without proper DKIM signing from the customer's domain, the email's authentication chain breaks, leading to DMARC failures and potential quarantining or rejection by recipient servers.

Key considerations

• Consult official documentation: Always refer to the most up-to-date vendor-specific documentation (e.g., Oracle Netsuite's guides) for precise instructions on configuring DKIM and SPF within their platform, as configurations can change.
• Understand DMARC report data: DMARC aggregate reports provide critical data on authentication and alignment results, allowing administrators to pinpoint sources of failures and track compliance over time. For more information, see our guide on how to interpret DMARC reports.
• Secure specific access: Be prepared that some comprehensive documentation or configuration settings may reside behind a login portal, requiring appropriate client access or vendor support engagement. Oracle's Netsuite guides, for instance, sometimes link to internal help articles, like this one on DMARC and email domains.
• Evaluate third-party capabilities: Before selecting a third-party email sender, verify their capabilities for custom domain DKIM signing and full DMARC compliance, especially if a strict DMARC policy is required.