Why are my DKIM and DMARC failing in ConvertKit?

Key findings

• Platform limitations: ConvertKit often restricts users to only one authenticated (signed) sending domain per account, regardless of how many sender email addresses are used.
• Domain misalignment: Emails sent from domains not explicitly signed within ConvertKit will likely fail DMARC, even if their DKIM record is technically published and looks valid in external checkers.
• DKIM selector: ConvertKit typically uses a specific DKIM selector, such as cka._domainkey.
• DMARC policy impact: A p=none DMARC policy does not cause DMARC failures; it only tells receiving servers to monitor the results rather than quarantining or rejecting failed emails. The failures occur independently of this policy.

Key considerations

• Verify signed domain: Ensure that the domain you are sending from is the one ConvertKit has properly signed and authenticated.
• Align sending domains: For optimal deliverability, all sending email addresses should align with the single, signed domain within ConvertKit.
• Review DMARC reports: Monitor DMARC reports to identify specific sources and reasons for failures, especially `header from` domain and `dkim d= tag` misalignment. You can learn more about stopping ConvertKit emails from going to junk via this helpful guide.
• ConvertKit support: Engage with ConvertKit support to understand their domain authentication capabilities and potential workarounds for multiple sending domains, if needed.

Key opinions

• Frustration with ESPs: Many marketers express frustration with ESPs that have rigid domain authentication policies or lack transparent tools for managing multiple sending domains.
• Importance of domain alignment: Marketers frequently emphasize that DMARC success hinges on the alignment of the 'From' domain with the authenticated (DKIM and/or SPF) domain.
• Impact on deliverability: Poor DMARC and DKIM authentication directly impacts inbox placement, leading to emails landing in spam or being rejected. For more on setup, refer to this guide on SPF, DKIM, and DMARC.
• Difficulty troubleshooting: Troubleshooting these issues can be challenging, as external checkers might show records as valid while emails still fail at the recipient's server.

Key considerations

• Careful configuration: Double-check all DNS records (SPF, DKIM, DMARC) as provided by ConvertKit to prevent verification failures.
• Test thoroughly: Send test emails to various providers (Gmail, Outlook, Yahoo) and check email headers for authentication results.
• Prioritize primary sending domain: If an ESP limits signed domains, marketers often must choose one primary domain for optimal deliverability.
• Consider alternative ESPs: For businesses requiring multiple fully authenticated sending domains, exploring ESPs with more flexible domain management features might be necessary, as outlined in email deliverability guides.

Key opinions

• ESP domain signing limitations: Experts agree that ESPs limiting users to one signed domain per account (like ConvertKit) is a major constraint and a common source of DMARC failures for users sending from multiple domains.
• DMARC alignment is critical: It is consistently stated that DMARC failure is often a result of `From:` header domain misalignment with the DKIM `d=` domain or the SPF `Return-Path` domain. Learn more about DMARC vs DKIM vs SPF.
• `v` tag for DKIM: While v=DKIM1 is a best practice for DKIM records, its absence usually defaults to version 1 and isn't the primary cause of DKIM failure if the rest of the record is valid and signed correctly.
• `p=none` is for monitoring: A DMARC policy of p=none indicates monitoring mode; it does not cause DMARC failures but rather prevents receivers from taking action (quarantine/reject) on failed emails. The failure itself stems from authentication issues.

Key considerations

• Understand ESP's authentication model: Before committing to an ESP, verify how they handle domain authentication, especially for multiple sending domains or subdomains.
• Prioritize authentication over policy: Focus on ensuring SPF and DKIM are correctly configured and aligned, as these are prerequisites for DMARC pass, regardless of the DMARC policy.
• Leverage DMARC reports: Use DMARC aggregate and forensic reports to precisely diagnose authentication failures, identifying the source, authentication results, and alignment status. This helps in understanding why your DMARC success rate might be dropping.
• Seek alignment solutions: If an ESP cannot sign multiple domains, consider using subdomains or consistent branding to ensure the `From:` header aligns with the single signed domain, helping to fix common DMARC issues.

Key findings

• DMARC alignment requirements: DMARC explicitly requires either SPF or DKIM to align with the `From:` header domain for a `pass` result, ensuring both technical authentication and domain consistency.
• DKIM record structure: DKIM records (TXT records) must contain specific tags, including a public key. The v=DKIM1 version tag is often optional or defaults to version 1 if omitted.
• ESP specific instructions: ESP documentation (like ConvertKit's) provides precise DNS records and instructions for authentication, which must be followed meticulously to ensure correct setup. This includes guides on how to configure SPF, DKIM, and DMARC.
• Impact of policy: DMARC policies (p=none, p=quarantine, p=reject) dictate how receiving mail servers should handle non-compliant emails, but the policy itself does not cause the underlying authentication failure.

Key considerations

• Adhere to ESP's DNS requirements: Always use the exact SPF and DKIM records provided by your email service provider, as deviations can lead to failures, including common DKIM record not found errors.
• Understand DMARC alignment modes: Familiarize yourself with "strict" and "relaxed" DMARC alignment modes and how they apply to your email streams for optimal compliance.
• Consult RFCs for technical details: For deep technical understanding, refer to RFCs (e.g., RFC 6376 for DKIM, RFC 7489 for DMARC) for authoritative specifications and insights into DMARC tags.
• Regularly review authentication guides: Stay updated with your ESP's documentation and industry best practices for email authentication, as requirements can evolve.