Why are DMARC reports showing temperrors or softfails for Klaviyo despite passing DMARC?

Key findings

• Intermittent failures: DMARC reports sometimes show temperrors or softfails for SPF or DKIM, even if authentication previously worked without issue.
• Multiple failure types: These can include DKIM temperror, SPF temperror, or even DKIM permerror, with various internet service providers (ISPs) like Outlook, Google, and Yahoo reporting them.
• Klaviyo specific: While the issue is observed with Klaviyo (as a major sender), similar problems might occur with other ESPs like Churnbuster, Stamped, or Recharge.
• Selector confusion: The DKIM selector observed in headers (e.g., 'kl') might differ from the configured selectors (e.g., 'kl1', 'kl2'), suggesting a potential discrepancy in how the ESP is signing emails or how DNS is being resolved.
• Overall DMARC pass: Despite individual SPF or DKIM failures, the DMARC record itself often still passes, especially if one of the authentication methods is still aligning.

Key considerations

• DNS records review: Thoroughly check all DNS records for your domain, including DKIM CNAMEs, for any inconsistencies, rogue nameservers, or propagation issues that could lead to temporary validation failures.
• ISP specific behavior: Recognize that some ISPs, such as Outlook (Microsoft) and Yahoo, can be more prone to reporting temperror or permerror results due to their internal processing or specific email forwarding practices.
• Authentication consistency: All outbound emails should ideally be signed exactly the same way to ensure consistent DMARC validation across all recipients. This also reinforces the importance of both SPF and DKIM aligning with your DMARC policy.
• Examine raw DMARC reports: If using a DMARC reporting tool, request access to the raw XML reports to gain more granular insights into who the reporting ISPs are and the exact nature of the failures. This can reveal specific authentication issues.

Key opinions

• DNS discrepancies: A common opinion among marketers is that such weirdnesses are often DNS problems, such as a rogue nameserver or records that haven't propagated correctly.
• Selector mismatch: Confusion arises when a DKIM selector appears in DMARC reports (e.g., 'kl') that doesn't match the configured selectors in their DNS (e.g., 'kl1', 'kl2'), indicating an issue with how the ESP is signing emails.
• ESPs and CNAMEs: Even after setting up CNAMEs as requested by ESPs like Klaviyo and having them verified, marketers still encounter intermittent softfails or temperrors, which can be frustrating.
• Multiple sending sources: It's noted that the problem isn't always isolated to one ESP, but can affect various sending platforms (e.g., Helpdocs, Klaviyo, Recharge) that use different underlying infrastructure.

Key considerations

• Thorough DNS audit: Marketers should conduct a deep dive into their DNS records, specifically looking for any unmanaged or incorrect entries that could be causing validation hiccups.
• Understand DMARC report details: Familiarize yourself with grouping options in your DMARC reporting tool to identify which ISPs are reporting failures and for which specific authentication methods (SPF or DKIM).
• Check email headers: While DMARC reports don't show headers, receiving and analyzing a sample email's raw headers can confirm the DKIM selector and signing domain used by your ESP, which is crucial for debugging.
• Collaborate with ESP support: If DMARC passes consistently but individual SPF or DKIM results are showing temperrors, engage with your ESP's support team to understand their authentication process and potential reasons for these transient issues.
• Monitor changes: Stay vigilant to any recent changes in DNS management, ESP configurations, or IP infrastructure that might correlate with the onset of these authentication issues. Klaviyo has a resource on why DMARC is important for their senders.

Key opinions

• Forwarding impact: Softfails in DMARC reports can frequently be attributed to email forwarding, where the original SPF or DKIM alignment can break during the re-transmission process.
• ISP variations: Yahoo and Microsoft (Outlook) are frequently cited as ISPs that are more prone to reporting temperror or permerror results due to their stringent or sometimes idiosyncratic authentication validation processes.
• Postmark DKIM issues: There's a known issue where Outlook specifically breaks Postmark's DKIM signatures, contributing to temperrors, a situation that has been ongoing for some time.
• Consistent failures: Many domains have been experiencing temperrors and permerrors, but often SPF and DKIM don't fail simultaneously, which allows the DMARC policy to still pass.

Key considerations

• DNS health check: Experts recommend a complete walk-through and check of every DNS record, as issues like rogue nameservers or improper propagation can be underlying causes of authentication problems.
• DKIM signature analysis: The DKIM selector ('s=') and domain ('d=') values within an email's header are critical for diagnosing issues. All emails from a given sending domain should be signed with consistent values.
• Request raw DMARC XMLs: While DMARC dashboards provide summaries, requesting the raw XML files from your DMARC reporting service allows for a more comprehensive and detailed analysis to identify specific reporters and their failure reasons. This can help troubleshoot DMARC failures.
• Dual alignment practice: Having both SPF and DKIM alignment checks in place is considered good practice. This redundancy helps ensure that DMARC passes even if one authentication method experiences intermittent issues.
• Understand reporting designations: If using a DMARC monitoring platform, engage with their support to clarify the meaning of specific error designations in their reports, ensuring accurate interpretation of the data.

Key findings

• SPF softfail definition: According to RFC 7208 (SPF), a softfail indicates a transitioning domain, where the sending IP is not explicitly authorized but also not strictly unauthorized. It often implies a temporary or uncertain SPF status.
• DKIM temperror definition: A temperror (or temporary error) in DKIM, as defined in RFC 6376, typically signifies that a DNS lookup for the DKIM public key failed due to transient issues like network timeouts or DNS server unavailability.
• DMARC passing conditions: As per RFC 7489 (DMARC), a message passes DMARC if either SPF or DKIM (or both) authenticate and align with the From: domain. This explains why an overall DMARC pass can occur even with individual temperrors or softfails.
• Reporting granularity: DMARC aggregate reports provide XML data that includes granular details on authentication results for each message, including disposition (pass/fail), SPF and DKIM results, and specific reasons for failure like temperror.

Key considerations

• DNS timeout considerations: Temperrors often indicate transient DNS lookup issues. Ensure your DNS records, especially DKIM CNAMEs, are configured for optimal performance and responsiveness to avoid timeouts from recipient servers.
• Impact of forwarding: Documentation confirms that email forwarding can invalidate SPF and lead to softfails. While DKIM is more resilient, misconfigurations or modifications during transit can still cause issues.
• Understanding aggregate reports: Familiarize yourself with the structure and content of DMARC aggregate reports (XML format) to accurately diagnose the root causes of authentication failures, even if the overall DMARC outcome is a pass.
• DKIM replay attacks: RFCs detail how DKIM signatures include a timestamp (`t=`) and an expiration (`x=`) tag to prevent replay attacks. A temperror could theoretically occur if a legitimate message is replayed outside its validity window, though this is less common for ESP-sent mail.