What does an Authentication Results Header contain when DKIM passes but DomainKeys fail?
Summary
What email marketers say9Marketer opinions
Email marketer from EmailProviderHelp states that a DomainKeys failure alongside a DKIM pass suggests that the server has not configured DomainKeys, or the configuration is out of date. Ensure DKIM is correct as that is more important for authentication.
Email marketer from StackExchange explains that if DKIM passes but DomainKeys fails, it's likely because the recipient server supports both but the message only fully conforms to DKIM. Also, DomainKeys is older and less reliable. The email might still be considered legitimate due to the DKIM pass.
Email marketer from Mailhardener shares that an Authentication-Results header contains the evaluation results of various email authentication methods. If DKIM passes and DomainKeys fails, it indicates that DKIM successfully verified the sender's signature, but DomainKeys did not. This could be because the message was altered in transit (according to DomainKeys) or because DomainKeys is not properly configured. Because domainKeys is so old its more likely that the domainKeys has not been configured.
Email marketer from Reddit states that a DKIM pass alongside a DomainKeys fail usually indicates that the sending domain has properly implemented DKIM, which is more modern, but either hasn't implemented DomainKeys or it is misconfigured. The DKIM pass is what matters more in modern email systems.
Email marketer from EmailDeliverabilityBlog explains that a DKIM pass is more important than a DomainKeys fail. Focus on ensuring DKIM is properly configured as it is the more modern and widely adopted standard. DomainKeys failures can often be safely ignored.
Email marketer from EmailAuthGuide explains if DomainKeys fails, focus on checking your DKIM setup. Tools and resources are available to validate DKIM configuration to ensure proper setup.
Email marketer from MXToolbox recommends that DomainKeys can be ignored as it has been superseded by DKIM. Make sure DKIM passes.
Email marketer from EmailSecurity explains that the 'fail (message has been altered)' reason in DomainKeys typically means that some part of the message was modified between when the signature was created and when it was verified. This can be due to mailing list servers, forwarding, or other intermediaries modifying the email.
Email marketer from EmailGeek Forum says that if DKIM passes, that’s generally a good sign. A DomainKeys failure is often ignored, especially if DKIM is correctly set up. DomainKeys is less frequently used these days.
What the experts say6Expert opinions
Expert from Word to the Wise details that The Authentication-Results header shows each authentication check performed on an email. A DKIM pass and DomainKeys fail implies that DKIM successfully verified the sender, while DomainKeys either failed or wasn't present. This is not uncommon, and DKIM takes precedence.
Expert from Email Geeks explains that amavis and openDKIM both do authentication results headers. She also notes that OpenDKIM doesn’t check domainkeys.
Expert from Email Geeks suspects that MS was emitting invalid emails, and opendkim wasn’t handling the canonicalization correctly.
Expert from Email Geeks says there have been points where older versions of opendkim couldn’t handle some (rare) emails from MS, but the reason was never narrowed down.
Expert from Email Geeks shares an interesting Authentication Results Header from <http://amavis.wordtothewise.com|amavis.wordtothewise.com> which includes both dkim=pass and domainkeys=fail.
Expert from SpamResource explains that if DKIM passes, the email is likely authentic and that the DomainKeys failure might be due to its obsolescence or configuration issues. Focus on ensuring DKIM alignment for better deliverability.
What the documentation says5Technical articles
Documentation from Valimail explains that an Authentication-Results header includes details about SPF, DKIM, and DMARC checks. A DKIM pass combined with a DomainKeys fail suggests the DKIM signature is valid, but DomainKeys either failed verification or wasn't implemented.
Documentation from RFC Editor (RFC4871) explains that DKIM provides a mechanism for verifying the source and integrity of email messages, even if the message passes through multiple servers. If DKIM passes, it confirms that the message hasn't been altered since it was signed by the sender.
Documentation from OpenDKIM says that OpenDKIM primarily focuses on DKIM, but older versions may still check for DomainKeys signatures. If DomainKeys fails, it’s likely due to changes during transit that break the signature.
Documentation from RFC Editor explains that the Authentication-Results header field reports the results of message authentication checks, including DKIM and DomainKeys. The header includes the authentication method, the identity used to validate the message, and the result of the validation.
Documentation from DMARC.org explains that DomainKeys is effectively deprecated. DomainKeys is rarely used anymore; DKIM is the preferred standard.