Email authentication is the sender’s best defense against phishing and spoofing. But ultimately, mailbox providers like Gmail, Yahoo!, and Microsoft have the final say in what gets delivered and what does not. Sometimes, legitimate mail streams suffer based on these decisions—and senders are left wondering why authentication failed and what to do about it.
Last week, we revealed how we helped one client solve a mysterious boost in SFP (Sender Policy Framework) failure rate for legitimate messages. This week, we will explore why another client saw similar failure reports with DKIM (DomainKeys Identified Mail) and how we helped them fix the problem.
The problem: DKIM alignment failures
Like SPF, DKIM is a critical protocol to DMARC (Domain-based Message Authentication Reporting and Conformance). When DKIM alignment fails—or when the d= value in the Header From does not match the d= value in the DKIM signature—it can negatively impact deliverability as mailbox providers may send the message to the spam folder or block it entirely. (For a refresher on how DKIM works, check out this blog post.)
Recently, DKIM alignment results for one of our client’s legitimate sending domains were failing approximately 30 percent of the time, while the DKIM signature itself was passing at a rate of more than 99 percent. They could not understand why DKIM alignment was not consistently successful when all emails were being signed in the same way.
Matrix of email authentication failures over one week
Diagnosis: Multiple DKIM signatures
To send emails over the domain in question, our client used a third party email service provider (ESP). Upon investigation, we saw that their emails were being signed with two DKIM signatures, as is permitted by the spec. The first signature had a d= value matching the Header From domain of the email and the second had a d= value pertaining to a domain belonging to the third party sender.
As a reminder, in order for a message to pass DKIM alignment, the d= value in the DKIM signature must match the d= value in the Header From address. By drilling down into the result reported by each mailbox provider, we could see that the mailbox providers reporting both DKIM pass and DKIM alignment were using the d= value in the first signature—which matched the d= domain in the Header From—to check alignment. Because of this match, the mailbox providers reported a positive result.
However, there were three mailbox providers that reported an alignment fail. The culprit in these cases was the d= value in the second signature, as it did not match the Header From address.
Seven day alignment pass rate per ISP during failure period
The solution: Get rid of the second DKIM signature
Discussions with the client and their ESP determined that the second DKIM signature was superfluous and could therefore be removed from the signing process entirely.
Once the client made this change, there was a brief (and expected) period where the mailbox providers provided varying results. Ultimately, however, all mailbox providers began to report a more than 99 percent pass rate for both the DKIM checks and alignment.
7 day alignment pass rate per ISP after failure period
The lesson: Communication is key
While diagnosis is a critical first step to troubleshooting an email authentication problem, an equally critical component is communication—both internally between your marketing and security departments, and externally between your third-party ESPs, mailbox providers, and email authentication partner(s).
Next week, we will explore how and why one client’s DMARC reject policy was not blocking suspicious messages as it should and the process necessary to fix the problem.
Want more blog posts like these? Subscribe to our blog and stay up to date on all the latest email authentication news and best practices.