Think Like an Email Expert: How to Troubleshoot DKIM Alignment Failures

Posted by Aaron Stevenson on

Email authentication is the sender’s best defense against phishing and spoofing. But ultimately, mailbox providers like Gmail, Yahoo!, and Microsoft have the final say in what gets delivered and what does not. Sometimes, legitimate mail streams suffer based on these decisions—and senders are left wondering why authentication failed and what to do about it.

Last week, we revealed how we helped one client solve a mysterious boost in SFP (Sender Policy Framework) failure rate for legitimate messages. This week, we will explore why another client saw similar failure reports with DKIM (DomainKeys Identified Mail) and how we helped them fix the problem.

The problem: DKIM alignment failures
Like SPF, DKIM is a critical protocol to DMARC (Domain-based Message Authentication Reporting and Conformance). When DKIM alignment fails—or when the d= value in the Header From does not match the d= value in the DKIM signature—it can negatively impact deliverability as mailbox providers may send the message to the spam folder or block it entirely. (For a refresher on how DKIM works, check out this blog post.)

Recently, DKIM alignment results for one of our client’s legitimate sending domains were failing approximately 30 percent of the time, while the DKIM signature itself was passing at a rate of more than 99 percent. They could not understand why DKIM alignment was not consistently successful when all emails were being signed in the same way.

image02 (1)

Matrix of email authentication failures over one week

Diagnosis: Multiple DKIM signatures
To send emails over the domain in question, our client used a third party email service provider (ESP). Upon investigation, we saw that their emails were being signed with two DKIM signatures, as is permitted by the spec. The first signature had a d= value matching the Header From domain of the email and the second had a d= value pertaining to a domain belonging to the third party sender.

As a reminder, in order for a message to pass DKIM alignment, the d= value in the DKIM signature must match the d= value in the Header From address. By drilling down into the result reported by each mailbox provider, we could see that the mailbox providers reporting both DKIM pass and DKIM alignment were using the d= value in the first signature—which matched the d= domain in the Header From—to check alignment. Because of this match, the mailbox providers reported a positive result.

However, there were three mailbox providers that reported an alignment fail. The culprit in these cases was the d= value in the second signature, as it did not match the Header From address.

image00 (1)

Seven-day alignment pass rate per ISP during failure period

The solution: Get rid of the second DKIM signature
Discussions with the client and their ESP determined that the second DKIM signature was superfluous and could, therefore, be removed from the signing process entirely.

Once the client made this change, there was a brief (and expected) period where the mailbox providers provided varying results. Ultimately, however, all mailbox providers began to report a more than 99 percent pass rate for both the DKIM checks and alignment.

image01 (1)

Seven-day alignment pass rate per ISP after failure period

The lesson: Communication is key
While diagnosis is a critical first step to troubleshooting an email authentication problem, an equally critical component is communication—both internally between your marketing and security departments, and externally between your third-party ESPs, mailbox providers, and email authentication partner(s).

Next week, we will explore how and why one client’s DMARC reject policy was not blocking suspicious messages as it should and the process necessary to fix the problem.

Want more blog posts like these? Subscribe to our blog and stay up to date on all the latest email authentication news and best practices.


Popular this Month

 3 Trends Impacting Email: Persistent Fraud, Part 2

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 The Top 16 Topics of 2016

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About Aaron Stevenson

Aaron Stevenson is a Strategic Project Manager at Return Path. He works closely with our clients to help them diagnose and resolve Email Authentication issues so that they can make full use of the Email Fraud Prevention capabilities of DMARC. Connect with him on Linkedin https://uk.linkedin.com/in/stevensonaaron

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.