Why are some SFMC emails failing DKIM and causing DMARC rejections?

Key findings

• Partial DKIM failures: A small percentage of emails failing DKIM signatures from SFMC suggests an intermittent issue, rather than a complete misconfiguration. This can be harder to diagnose than consistent failures.
• DMARC rejection without SPF alignment: When DKIM fails or is missing and SPF is not aligned, a DMARC policy of p=reject will cause emails to bounce. For more details, see our guide on DMARC verification failures.
• ISP-specific issues: Problems occurring specifically with ISPs like Comcast, SBCGlobal, and Bellsouth indicate these receivers have stricter authentication checks.
• Impact of unauthenticated IPs: Emails sent from specific IP pools within an ESP's network might lack proper authentication, leading to DMARC failure.

Key considerations

• Review DMARC reports: Aggregated DMARC reports (RUA) provide insights into authentication failures, including DKIM and SPF. These reports show where and why DMARC is failing. Kinsta offers more on fixing DMARC failures.
• Engage with ESP support: If only a fraction of emails are unsigned, this suggests a potential bug or misconfiguration on the ESP's side. SFMC support should be able to investigate the cause.
• Consider DMARC policy adjustment: If consistent authentication issues persist, consider lowering your DMARC policy to p=none or p=quarantine until the underlying DKIM issues are resolved. Learn more about safely transitioning your DMARC policy.
• Investigate message characteristics: Look for distinctive features in emails failing DKIM. This could involve RFC 821 violations, encoding problems, or specific content types that interfere with signature generation.

Key opinions

• DMARC policy caution: Many marketers advise against setting a DMARC policy to p=reject if full domain alignment for SPF and DKIM isn't consistently achieved.
• ESP responsibility: There's a strong sentiment that if an ESP is used, they should ensure proper authentication and advise clients against policies that could lead to deliverability issues.
• Intermittent DKIM issues: Some marketers have observed very small percentages of emails from SFMC going out without DKIM, suggesting a rare platform bug. See why your emails fail and how to fix them.
• IP pool discrepancies: Issues might be confined to specific IP pools used by the ESP, indicating a segmented problem within their infrastructure.

Key considerations

• Monitoring DMARC reports: Accessing and analyzing DMARC reports is crucial for identifying the extent and nature of authentication failures. Without these, troubleshooting is significantly hindered.
• SPF alignment: If DKIM isn't consistently signing, ensuring SPF alignment becomes even more critical to pass DMARC. Learn more about SPF alignment failures.
• Cost-benefit analysis: For very small percentages of failing emails, some marketers may decide the effort to fix outweighs the deliverability impact.
• Proactive ESP communication: Regular discussions with ESPs about authentication practices and DMARC policy recommendations are essential.

Key opinions

• Gradual DMARC deployment: Experts strongly advise against moving to a p=reject DMARC policy without robust control and visibility over all mailstreams to ensure SPF and DKIM alignment.
• Deep technical investigation: When DKIM issues are sporadic, experts suggest investigating specifics like RFC 821 violations, email encoding issues, and patterns across recipient domains.
• ESP accountability: Experts believe it's the ESP's responsibility to manage authentication correctly. If an ESP doesn't advise clients on proper DMARC deployment, it may signal a lack of attention to deliverability best practices.
• Complexity of intermittent issues: Small percentages of unexplained authentication failures, especially from large ESPs like SFMC, can be indicative of underlying system bugs that are challenging to diagnose.

Key considerations

• DMARC report analysis: Leveraging DMARC reports is paramount for experts to diagnose authentication failures. These reports provide the necessary data points to troubleshoot complex issues. For more information, see our page on troubleshooting DMARC failures.
• Mailstream control: Organizations must have sufficient control over their mailstreams to ensure proper SPF and DKIM authentication. This includes understanding all sending sources.
• Technical deep-dives: Beyond basic checks, a detailed examination of failing email samples, including headers and body content, can reveal subtle issues impacting DKIM signing.
• Provider communication: Clear and persistent communication with the ESP is necessary to resolve platform-specific or IP-related authentication glitches. Review this guide on boosting email deliverability rates.

Key findings

• DKIM failure definition: DKIM fails when the cryptographic signature appended to an email cannot be successfully verified by the recipient server against the public key published in DNS.
• DMARC policy enforcement: DMARC policies (e.g., p=none, p=quarantine, p=reject) dictate how mail servers should handle messages that fail DMARC authentication checks.
• Alignment requirement: For DMARC to pass, either SPF or DKIM (or both) must authenticate and align with the From: domain. If DKIM is missing, SPF alignment becomes critical.
• Common DMARC failure causes: DMARC failures often stem from misconfigured DMARC records or issues with SPF and DKIM implementation, leading to authentication failures.

Key considerations

• Comprehensive DMARC deployment: Documentation recommends a phased DMARC deployment, starting with p=none to gather reports before moving to stricter policies. eSecurity Planet explains why DMARC can fail.
• Email content impact: Changes to email content, such as modifications by forwarders or mailing lists, can break DKIM signatures, leading to authentication failures. This is a common cause of issues.
• Importance of DMARC reports: Official guidelines emphasize that DMARC aggregate and forensic reports are vital for identifying authentication issues and non-compliant sending sources.
• ESP configuration: Email service providers must correctly configure DKIM signing for client domains, including proper selector usage and key management, to ensure successful authentication.