How do I fix DMARC failures with OpenAir due to lack of DKIM signing?
Michael Ko
Co-founder & CEO, Suped
Published 20 Apr 2025
Updated 15 Aug 2025
9 min read
Dealing with DMARC failures can be frustrating, especially when they stem from third-party sending platforms like OpenAir. Many organizations rely on such services for critical communications, only to find their emails not reaching the inbox due to authentication issues.
The typical scenario I encounter with OpenAir, which is part of Oracle NetSuite, involves DMARC failures caused by a lack of proper DKIM signing. While OpenAir might successfully authenticate its own domain via SPF, your domain, the one in the visible From header, isn't being properly signed. This misalignment is a critical point that DMARC checks, leading to emails being rejected or sent to spam folders.
Understanding why this happens is the first step toward a solution. DMARC requires either SPF or DKIM to be aligned with the Header From domain. If your OpenAir emails pass SPF authentication, but the SPF domain (e.g., openair.com) does not match your Header From domain, then SPF alignment fails. The only remaining path to DMARC pass is through a properly aligned DKIM signature.
When DKIM isn't applied or is invalid for your domain, DMARC will fail. This is particularly problematic for organizations with a p=reject DMARC policy, common in sectors like finance, where strong authentication is crucial to prevent phishing and spoofing. Let's explore how to address this challenge and ensure your OpenAir emails meet DMARC compliance.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) relies on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for its authentication and alignment checks. For your emails to pass DMARC, at least one of these protocols must align with your Header From domain.
With OpenAir, SPF often passes authentication, but it does so for the OpenAir domain itself (e.g., openair.com or relay.openair.com) in the Return-Path or MailFrom address. This means the SPF domain does not align with your Header From domain, causing SPF alignment to fail. You can learn more about why DMARC authentication fails even if SPF passes.
The critical missing piece is a DKIM signature for your domain. DKIM allows the sending server to digitally sign emails, and the receiving server can then verify this signature using a public key published in your DNS. If OpenAir is not applying this signature, or if the signature's domain (d=) does not align with your Header From, DMARC will fail. This is precisely why your OpenAir emails are experiencing DMARC failure.
For organizations requiring a p=reject DMARC policy, the stakes are even higher. A p=reject policy instructs recipient mail servers to outright reject emails that fail DMARC, meaning they won't even reach the spam folder. This is a robust defense against email spoofing but necessitates that all legitimate sending sources, including OpenAir, are fully DMARC compliant.
DMARC alignment types
Strict alignment: The SPF domain or DKIM d= domain must exactly match the Header From domain.
Relaxed alignment: The SPF domain or DKIM d= domain must match the organizational domain of the Header From domain. This allows for subdomains to pass alignment.
OpenAir's SPF passes for openair.com, not your domain, so SPF alignment fails for DMARC. DKIM is therefore crucial.
Collaborating with OpenAir support for DKIM implementation
The most straightforward and recommended way to fix DMARC failures stemming from a lack of DKIM signing by OpenAir is to work directly with their support team. OpenAir, a Netsuite product, is typically capable of implementing DKIM signing for your domain, but it might require specific configuration or even a particular service package.
While documentation for this can be scarce or outdated, some resources like Oracle's documentation on DKIM for their products suggest that DKIM setup is possible. This process usually involves OpenAir generating a DKIM public key for your domain, which you then publish as a TXT record in your DNS. They handle the private key, which is used to sign your outgoing emails.
Here's how to approach it:
Contact support: Reach out to OpenAir or NetSuite support and explain that your emails are failing DMARC due to a missing DKIM signature for your Header From domain. Request assistance in configuring DKIM for your sending domain.
Request DKIM keys: Ask them to provide the necessary DKIM public key (usually a TXT record) that you need to add to your domain's DNS.
Publish DNS record: Once you receive the key, add it to your DNS records. Ensure the hostname (selector) and value are exactly as provided.
Verify activation: Confirm with OpenAir support that DKIM signing for your domain has been activated on their end. You can also use a free email deliverability testing tool to check the DKIM signature.
Example DKIM TXT recordDNS
Host: selector1._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqX9lG6Y...[rest of public key]...
Be aware that some legacy systems or specific service tiers within platforms like OpenAir (or other Oracle products like Eloqua, as suggested by older documentation) might classify DKIM alignment as an advanced feature, potentially requiring a Branding and Deliverability package. This is something their support team can clarify.
Navigating DMARC failures with subdomain strategies
If direct DKIM signing through OpenAir proves difficult, impossible, or cost-prohibitive, there are alternative strategies to mitigate DMARC failures. While not always ideal, these workarounds can help maintain deliverability, especially when you're under pressure to enforce a p=reject policy.
One common workaround is to use a subdomain for your OpenAir emails and apply a less restrictive DMARC policy to it. Instead of sending from yourdomain.com, you could send from notifications.yourdomain.com. Then, you would set up a separate DMARC record for this subdomain with a p=none policy. This allows emails from that subdomain to still be delivered, even if DMARC fails for lack of DKIM alignment, while your main domain remains protected by its p=reject policy.
While changing your Header From to a subdomain might seem like a compromise, it generally has a lesser impact on your overall deliverability and brand recognition than changing the entire main domain. It signals to recipients that the emails are still from your organization, albeit a specific department or system. This is a pragmatic solution if OpenAir cannot provide direct DKIM signing for your root domain in the short term.
Ideal solution: direct DKIM signing
Authentication: Emails are DKIM-signed directly by OpenAir with your primary domain, ensuring DMARC alignment.
Deliverability impact: Full DMARC compliance helps improve inbox placement and domain reputation.
Effort: Requires coordination with OpenAir support to obtain and publish a DKIM TXT record.
Workaround: subdomain strategy
Authentication: Emails sent from a subdomain with a p=none DMARC policy. Does not achieve full DMARC alignment for the main domain.
Deliverability impact: Reduced deliverability risk for the main domain, but subdomain's reputation is managed separately.
Effort: Requires DNS changes for the new subdomain and DMARC policy setup.
Another conceptual point related to DMARC alignment is the difference between strict and relaxed alignment. While not a direct fix for OpenAir's lack of DKIM signing, understanding this helps troubleshoot broader DMARC issues. Relaxed alignment allows a subdomain to pass alignment with the organizational domain, offering more flexibility. However, for a p=reject policy, strict alignment is often preferred or implicitly required by the absence of proper DKIM.
Sustaining compliance through DMARC monitoring
Once you've implemented a solution, whether it's direct DKIM signing or a subdomain strategy, continuous monitoring of your DMARC reports is essential. These reports provide invaluable insight into your email ecosystem, showing you which emails are passing or failing DMARC, and why.
DMARC aggregate (RUA) reports offer a daily overview of your email traffic, showing authentication results for SPF and DKIM. Forensic (RUF) reports provide more detail on individual failures, though these are often redacted for privacy reasons. By analyzing these, you can confirm that your OpenAir emails are now achieving DMARC alignment and that your efforts to fix DMARC failures have been successful. Regularly check your DMARC reports to troubleshoot any ongoing issues.
Consistent DMARC compliance is not a one-time setup, especially when integrating with various third-party senders. It requires ongoing vigilance to prevent future deliverability issues. Without proper authentication, your emails face a higher risk of being flagged as spam or even triggering a blocklist (or blacklist) listing for your domain, severely impacting your email campaigns.
Ensuring proper email authentication is a cornerstone of good email deliverability. A robust DMARC implementation, supported by correctly configured SPF and DKIM for all sending sources, minimizes the risk of spoofing and ensures your legitimate communications reach their intended recipients. Regularly review your DMARC records and sending practices to maintain a healthy email ecosystem. You can find more information on causes and solutions of DMARC failures.
Authentication protocol
Pass criteria
OpenAir challenge
SPF
Return-Path domain authorized the sending IP.
Passes for openair.com, not your Header From domain.
DKIM
Email is signed by d= domain, which is verified by DNS public key.
Often no signature for your domain, or an invalid one.
DMARC
Either SPF or DKIM must align with the Header From domain.
Fails alignment because SPF is for OpenAir, and DKIM for your domain is missing.
Views from the trenches
Best practices
Always prioritize direct DKIM signing from your email service provider to ensure full DMARC compliance.
Regularly monitor your DMARC reports (RUA and RUF) to catch any authentication or alignment issues early.
Maintain a clear understanding of your DMARC policy (p=none, p=quarantine, p=reject) and its implications.
Ensure all third-party senders used for your domain are correctly configured with SPF and DKIM records.
Educate your team on DMARC, SPF, and DKIM to prevent inadvertent configuration errors.
Common pitfalls
Assuming SPF passing for the sending platform's domain means DMARC alignment will also pass for your domain.
Not having up-to-date documentation from third-party senders regarding their email authentication setup.
Implementing a 'p=reject' DMARC policy without verifying all legitimate email sources are compliant.
Overlooking the need for a specific 'Branding and Deliverability' package from senders like OpenAir for DKIM signing.
Ignoring DMARC reports, leading to unresolved deliverability or spoofing issues.
Expert tips
For difficult senders, using a subdomain with a 'p=none' policy can provide a temporary workaround while you work on full alignment.
When dealing with vendors, specifically ask for 'DKIM signing for my sending domain' rather than general authentication inquiries.
Utilize DMARC aggregate reports to quickly identify trends in authentication failures across all your sending IPs.
Before applying a strict DMARC policy, ensure you have visibility into all your sending sources to avoid legitimate emails being rejected.
Consider a phased approach for DMARC policy enforcement, starting with 'p=none' for monitoring before moving to 'quarantine' or 'reject'.
Marketer view
Marketer from Email Geeks says SPF authentication is distinct from SPF alignment, requiring the 5321.From (return-path) domain to match the 5322.From (display from) domain for proper alignment.
2020-11-05 - Email Geeks
Marketer view
Marketer from Email Geeks says organizations must either ensure their 5322.From domain is DKIM signed or consider disabling the DMARC enforcing policy to avoid delivery issues.
2020-11-05 - Email Geeks
Summary of solutions
Fixing DMARC failures with OpenAir largely boils down to ensuring your emails are DKIM signed and aligned with your Header From domain. The ideal path involves direct collaboration with OpenAir (Oracle NetSuite) support to enable this critical authentication mechanism. While documentation may be sparse, their ability to provide a DKIM public key for your DNS is the most robust solution for achieving DMARC compliance.
If direct DKIM signing isn't immediately feasible, a tactical workaround using a subdomain with a p=none DMARC policy can provide a temporary reprieve, allowing you to maintain some deliverability while working towards a more permanent fix. Regardless of the chosen solution, ongoing DMARC monitoring is non-negotiable to ensure sustained email deliverability and protect your brand from spoofing and blocklist issues.
OpenAir with your primary domain, ensuring DMARC alignment.
openair.com, not your Header From domain.
