What does an Authentication Results Header contain when DKIM passes but DomainKeys fail?

Summary

When an Authentication-Results header shows a DKIM pass and a DomainKeys fail, it indicates that the email likely passed DKIM verification, confirming its source and integrity. DomainKeys failure is common due to its obsolescence or misconfiguration, and is often safe to ignore. OpenDKIM may not always handle certain Microsoft emails correctly. Email professionals recommend focusing on DKIM setup and DKIM alignment, while understanding that DomainKeys is deprecated.

Key findings

  • DKIM Pass is Primary: A DKIM pass signifies that the email is likely authentic and hasn't been altered.
  • DomainKeys is Outdated: DomainKeys is deprecated, less reliable, or not properly configured.
  • Authentication-Results Defined: The Authentication-Results header reports the outcome of various email authentication checks.
  • OpenDKIM and MS Emails: Older OpenDKIM versions may struggle with some Microsoft emails.

Key considerations

  • Focus on DKIM Configuration: Prioritize DKIM setup and alignment for deliverability.
  • Ignore DomainKeys Failures: Treat DomainKeys failures as largely insignificant.
  • Message Alterations: Consider that DomainKeys failures may be due to message alterations during transit.

What email marketers say
9Marketer opinions

When a DKIM check passes and a DomainKeys check fails in an Authentication Results Header, it generally indicates that DKIM, the more modern and reliable authentication method, has successfully verified the sender's signature. The DomainKeys failure is often due to the method's obsolescence, misconfiguration, or the message being altered in transit. Experts recommend prioritizing DKIM configuration and treating DomainKeys failures as less significant or ignorable.

Key opinions

  • DKIM Priority: DKIM pass is more important; it's the current standard.
  • DomainKeys Obsolete: DomainKeys is old and often unconfigured.
  • Message Alteration: DomainKeys failure may indicate message alteration.
  • Authentication Results: Authentication-Results header reports email authentication checks.

Key considerations

  • Check DKIM Setup: Ensure DKIM is correctly configured and aligned.
  • Ignore DomainKeys: DomainKeys failures can usually be ignored.
  • Mailing Lists: Be aware that mailing lists may alter messages, causing DomainKeys to fail.
Marketer view

Email marketer from EmailProviderHelp states that a DomainKeys failure alongside a DKIM pass suggests that the server has not configured DomainKeys, or the configuration is out of date. Ensure DKIM is correct as that is more important for authentication.

February 2025 - EmailProviderHelp
Marketer view

Email marketer from StackExchange explains that if DKIM passes but DomainKeys fails, it's likely because the recipient server supports both but the message only fully conforms to DKIM. Also, DomainKeys is older and less reliable. The email might still be considered legitimate due to the DKIM pass.

June 2024 - StackExchange
Marketer view

Email marketer from Mailhardener shares that an Authentication-Results header contains the evaluation results of various email authentication methods. If DKIM passes and DomainKeys fails, it indicates that DKIM successfully verified the sender's signature, but DomainKeys did not. This could be because the message was altered in transit (according to DomainKeys) or because DomainKeys is not properly configured. Because domainKeys is so old its more likely that the domainKeys has not been configured.

September 2021 - Mailhardener
Marketer view

Email marketer from Reddit states that a DKIM pass alongside a DomainKeys fail usually indicates that the sending domain has properly implemented DKIM, which is more modern, but either hasn't implemented DomainKeys or it is misconfigured. The DKIM pass is what matters more in modern email systems.

June 2021 - Reddit
Marketer view

Email marketer from EmailDeliverabilityBlog explains that a DKIM pass is more important than a DomainKeys fail. Focus on ensuring DKIM is properly configured as it is the more modern and widely adopted standard. DomainKeys failures can often be safely ignored.

August 2021 - EmailDeliverabilityBlog
Marketer view

Email marketer from EmailAuthGuide explains if DomainKeys fails, focus on checking your DKIM setup. Tools and resources are available to validate DKIM configuration to ensure proper setup.

January 2022 - EmailAuthGuide
Marketer view

Email marketer from MXToolbox recommends that DomainKeys can be ignored as it has been superseded by DKIM. Make sure DKIM passes.

September 2022 - MXToolbox
Marketer view

Email marketer from EmailSecurity explains that the 'fail (message has been altered)' reason in DomainKeys typically means that some part of the message was modified between when the signature was created and when it was verified. This can be due to mailing list servers, forwarding, or other intermediaries modifying the email.

April 2021 - EmailSecurity
Marketer view

Email marketer from EmailGeek Forum says that if DKIM passes, that’s generally a good sign. A DomainKeys failure is often ignored, especially if DKIM is correctly set up. DomainKeys is less frequently used these days.

April 2021 - EmailGeek Forum

What the experts say
6Expert opinions

An Authentication-Results header contains information about email authentication checks, including DKIM and DomainKeys. A DKIM pass with a DomainKeys failure suggests that the email is likely authentic due to successful DKIM verification. DomainKeys failure can stem from obsolescence, misconfiguration, or message alteration. Some older OpenDKIM versions may struggle with certain emails, potentially due to Microsoft emitting invalid emails. DKIM alignment should be prioritized for better deliverability.

Key opinions

  • DKIM Pass is Key: A passing DKIM result indicates the email is likely authentic.
  • DomainKeys Failure: DomainKeys failure is common and often ignorable due to its age.
  • OpenDKIM Issues: Older OpenDKIM versions might have issues with some emails, possibly from Microsoft.
  • Authentication-Results Header: This header contains details of authentication checks like DKIM and DomainKeys.

Key considerations

  • Prioritize DKIM: Focus on ensuring DKIM is properly configured for good deliverability.
  • DomainKeys Obsolescence: Recognize that DomainKeys is outdated and might not be relevant.
  • Microsoft Emails: Be aware of potential issues with certain Microsoft emails and OpenDKIM.
Expert view

Expert from Word to the Wise details that The Authentication-Results header shows each authentication check performed on an email. A DKIM pass and DomainKeys fail implies that DKIM successfully verified the sender, while DomainKeys either failed or wasn't present. This is not uncommon, and DKIM takes precedence.

January 2022 - Word to the Wise
Expert view

Expert from Email Geeks explains that amavis and openDKIM both do authentication results headers. She also notes that OpenDKIM doesn’t check domainkeys.

December 2024 - Email Geeks
Expert view

Expert from Email Geeks suspects that MS was emitting invalid emails, and opendkim wasn’t handling the canonicalization correctly.

June 2022 - Email Geeks
Expert view

Expert from Email Geeks says there have been points where older versions of opendkim couldn’t handle some (rare) emails from MS, but the reason was never narrowed down.

July 2022 - Email Geeks
Expert view

Expert from Email Geeks shares an interesting Authentication Results Header from <http://amavis.wordtothewise.com|amavis.wordtothewise.com> which includes both dkim=pass and domainkeys=fail.

September 2021 - Email Geeks
Expert view

Expert from SpamResource explains that if DKIM passes, the email is likely authentic and that the DomainKeys failure might be due to its obsolescence or configuration issues. Focus on ensuring DKIM alignment for better deliverability.

February 2023 - SpamResource

What the documentation says
5Technical articles

An Authentication-Results header, as defined in RFC specifications and explained by email authentication resources like Valimail, DMARC.org, and OpenDKIM, reports on various email authentication checks such as SPF, DKIM, and DMARC. When DKIM passes and DomainKeys fails, it signifies that the DKIM signature is valid and the message's integrity and source are verified, even across multiple servers. The DomainKeys failure usually stems from its deprecation, lack of implementation, or message alterations during transit. DKIM is the preferred standard.

Key findings

  • Header Reports Authentication: The Authentication-Results header shows the results of DKIM, SPF, and DMARC checks.
  • DKIM Validates Source: A DKIM pass confirms the message's source and integrity.
  • DomainKeys Deprecated: DomainKeys is no longer a preferred or widely used standard.
  • Transit Changes Impact DomainKeys: DomainKeys failure is often due to message changes in transit.

Key considerations

  • Prioritize DKIM Setup: Focus on ensuring DKIM is properly configured and working.
  • Understand Header Details: Review the Authentication-Results header to understand authentication outcomes.
  • DomainKeys Irrelevance: Treat DomainKeys failures as largely irrelevant in modern email authentication.
Technical article

Documentation from Valimail explains that an Authentication-Results header includes details about SPF, DKIM, and DMARC checks. A DKIM pass combined with a DomainKeys fail suggests the DKIM signature is valid, but DomainKeys either failed verification or wasn't implemented.

December 2024 - Valimail
Technical article

Documentation from RFC Editor (RFC4871) explains that DKIM provides a mechanism for verifying the source and integrity of email messages, even if the message passes through multiple servers. If DKIM passes, it confirms that the message hasn't been altered since it was signed by the sender.

February 2023 - RFC Editor
Technical article

Documentation from OpenDKIM says that OpenDKIM primarily focuses on DKIM, but older versions may still check for DomainKeys signatures. If DomainKeys fails, it’s likely due to changes during transit that break the signature.

December 2024 - OpenDKIM
Technical article

Documentation from RFC Editor explains that the Authentication-Results header field reports the results of message authentication checks, including DKIM and DomainKeys. The header includes the authentication method, the identity used to validate the message, and the result of the validation.

November 2021 - RFC Editor
Technical article

Documentation from DMARC.org explains that DomainKeys is effectively deprecated. DomainKeys is rarely used anymore; DKIM is the preferred standard.

July 2024 - DMARC.org