Suped

Why are some SFMC emails failing DKIM and causing DMARC rejections?

10 Marketer opinions5 Expert opinions4 Technical articles5 Resources

Summary

SFMC emails failing DKIM and causing DMARC rejections result from a multifaceted combination of factors involving misconfigurations within SFMC, infrastructure limitations, and external influences. Critical issues include incomplete DKIM configurations across multiple SFMC IPs, SPF alignment problems, improperly generated or activated DKIM keys, and insufficient DMARC monitoring. Additional concerns involve the impact of shared IP reputations, weak DKIM keys, inaccurate DNS records, and email formatting violations. Addressing these requires a thorough understanding of email authentication protocols, vigilant monitoring, and proactive measures to ensure correct configurations and alignment.

Key findings

  • Domain Alignment: DKIM signing domain must match 'From' address domain; SPF must be aligned.
  • Incomplete DKIM: SFMC may use multiple IPs with incomplete DKIM configurations.
  • DKIM Key Issues: Problems include weak keys, incorrect key setup, and DNS misconfigurations.
  • DMARC Configuration: Improper DMARC policy settings or lack of DMARC monitoring hinder issue identification.
  • IP Reputation: Shared IPs can have fluctuating reputations, impacting deliverability.
  • Formatting Errors: Email formatting issues (e.g., RFC violations) can cause DKIM failures.
  • SFMC Specific Issues: Small percentage of emails may go out without DKIM from random pool IPs.

Key considerations

  • Authentication Expertise: Develop a strong understanding of SPF, DKIM, and DMARC.
  • SFMC Configuration: Verify all SFMC sending IPs and domains are correctly configured and aligned.
  • DKIM Strength: Use strong DKIM keys (at least 1024 bits).
  • DMARC Monitoring: Implement DMARC monitoring and reporting to detect failures.
  • IP Reputation Management: Monitor and manage IP reputation, considering dedicated IPs if necessary.
  • DNS Records: Ensure accurate DNS records for DKIM.
  • Email Formatting: Adhere to email formatting standards.
  • DMARC Policy: If you have a DMARC policy of Reject, ensure you have Dkim and SPF correctly configured. If not use a DMARC policy of None

What email marketers say
10Marketer opinions

SFMC emails failing DKIM and causing DMARC rejections can stem from various sources, including SFMC's infrastructure, configuration issues, and a lack of understanding of email authentication protocols. Specifically, SFMC might use multiple IPs with incomplete DKIM configurations, SPF misalignment, or incorrect DKIM key setups. External factors, like shared IP reputation and insufficient DMARC monitoring, also play a role. Addressing these issues requires meticulous setup, active monitoring, and a strong understanding of SPF, DKIM, and DMARC.

Key opinions

  • Incomplete DKIM: SFMC might use multiple IPs, not all of which are DKIM-configured, causing intermittent failures.
  • SPF Misalignment: Emails might be sent from subdomains or domains not aligned with SPF records, leading to DMARC failures.
  • Incorrect Key Setup: Improperly generated, uploaded, or activated DKIM keys within SFMC will lead to authentication failures.
  • Lack of Monitoring: Lack of DMARC monitoring prevents senders from identifying the root causes of DKIM/SPF alignment issues.
  • IP Reputation: Shared IPs in SFMC with fluctuating reputations can impact deliverability, even with passing DKIM.
  • Insufficient Key Size: Using weak DKIM keys can cause failures, particularly with stricter ISPs.
  • Domain Verification: Ensuring the sending domain is properly configured and verified within SFMC is crucial.

Key considerations

  • DKIM Configuration: Verify all sending IPs and domains in SFMC are correctly DKIM-configured with sufficient key sizes.
  • SPF Alignment: Ensure SPF records are properly aligned with all sending domains and subdomains used by SFMC.
  • DMARC Monitoring: Implement DMARC monitoring and reporting to diagnose DKIM and SPF alignment issues.
  • IP Reputation Management: Monitor and manage IP reputation, considering dedicated IPs if shared IPs cause deliverability issues.
  • Authentication Knowledge: Gain a thorough understanding of SPF, DKIM, and DMARC to correctly identify and fix authentication issues.
  • Domain Verification: Verify all sending domains are properly configured and verified in SFMC.
Marketer view

Email marketer from Stack Overflow responds that SFMC uses multiple IPs for sending and it's possible that not all IPs are configured with DKIM, or that the DKIM configuration is incomplete. This can cause intermittent DKIM failures.

September 2023 - Stack Overflow
Marketer view

Email marketer from Email on Acid explains that lack of DMARC monitoring and reporting prevents senders from seeing the root causes of failures. Analyzing DMARC reports is crucial to diagnose DKIM and SPF alignment issues in SFMC.

December 2024 - Email on Acid
Marketer view

Email marketer from SuperOffice responds that not fully understanding the email authentication process is a common mistake and this leads to misconfigurations. You need to learn about SPF, DKIM and DMARC to correctly identify and fix email authentication issues.

June 2023 - SuperOffice
Marketer view

Email marketer from Salesforce Marketing Cloud Community shares that ensuring DKIM keys are properly generated, uploaded, and activated within SFMC is crucial. Incorrect key setup will lead to DKIM failures.

March 2022 - Salesforce Marketing Cloud Community
Marketer view

Email marketer from Mailgun answers that ensuring that the sending domain is properly configured and verified within SFMC is crucial. An unverified domain may lead to sporadic authentication issues.

November 2024 - Mailgun
Marketer view

Email marketer from Reddit suggests that SFMC might be sending emails from subdomains or domains that are not properly aligned with your SPF records, leading to DMARC failures even if DKIM passes.

May 2024 - Reddit
Marketer view

Marketer from Email Geeks shares an anecdote about a client who consistently sees a tiny percentage of their emails from SFMC go out without DKIM or from a random pool IP, and they have never been able to figure out why.

June 2024 - Email Geeks
Marketer view

Email marketer from Litmus shares that shared IPs in SFMC can have fluctuating reputations. If the IP sending your email has a poor reputation, even passing DKIM can be impacted as ISPs might be more stringent.

March 2023 - Litmus
Marketer view

Email marketer from SendGrid answers that using an insufficient DKIM key size (e.g., less than 1024 bits) can cause DKIM failures, especially with stricter ISPs. SFMC's DKIM setup should use an adequate key length.

November 2024 - SendGrid
Marketer view

Email marketer from Postmark answers that publishing a DMARC record to request reports on authentication results from receivers is a very important step to take, as it will provide insights into potential DKIM failures.

April 2022 - Postmark

What the experts say
5Expert opinions

SFMC emails failing DKIM and DMARC can arise from issues with domain alignment, weak DKIM keys, misconfigured DNS records, and improper DMARC deployment. Domain alignment is crucial; failing to align SPF can render DMARC 'reject' policies problematic. Additionally, DKIM is a key element for email deliverability. Weak keys or incorrect DNS setups will result in DKIM validation failures and ultimately DMARC rejections. It is also the responsibility of the ESP.

Key opinions

  • Domain Alignment Issues: Lack of SPF alignment with the sending domain can lead to DMARC failures.
  • DMARC Policy: Using DMARC at 'reject' without proper domain alignment is not advisable.
  • Weak DKIM Keys: Using weak DKIM keys can cause validation issues; minimum of 1024 bits recommended.
  • DKIM Importance: DKIM is critical for email deliverability, preventing emails from landing in spam and causing DMARC rejections.
  • DNS Misconfiguration: Misconfigured domain DNS records can lead to DKIM validation failures.

Key considerations

  • SPF Alignment: Ensure proper SPF alignment with sending domains before implementing strict DMARC policies.
  • DKIM Key Strength: Use strong DKIM keys (at least 1024 bits, preferably 2048) to prevent validation issues.
  • DNS Configuration: Verify and correct any misconfigurations in domain DNS records related to DKIM.
  • DMARC Policy: Carefully consider DMARC policy ('none', 'quarantine', 'reject') based on current authentication setup.
Expert view

Expert from Spam Resource answers that DKIM is an important factor for email deliverability. Without it, emails are more likely to land in the spam folder, and can result in DMARC rejections.

April 2023 - Spam Resource
Expert view

Expert from Spam Resource answers that weak DKIM keys are a cause of DKIM validation issues. Use a minimum of 1024 bits, with 2048 bits recommended.

November 2022 - Spam Resource
Expert view

Expert from Word to the Wise answers that one of the causes of DKIM validation fails is misconfigured domain DNS records. If the DNS records are not correctly configured, it leads to DMARC rejections.

August 2022 - Word to the Wise
Expert view

Expert from Email Geeks responds that you probably shouldn’t be at reject if you can’t send with domain alignment, and if DKIM were aligned it would probably be fine.

August 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that you really shouldn’t be using DMARC at anything beyond p=none if you don’t have enough control over your mailstreams to have aligned SPF in place. It is also an ESP issue in that you’re paying them to manage this.

October 2023 - Email Geeks

What the documentation says
4Technical articles

SFMC emails failing DKIM and causing DMARC rejections can be attributed to domain alignment issues, incorrect DNS records, and email formatting problems. Specifically, the signing domain in the DKIM signature must match the domain in the 'From' address. DMARC failures occur when neither SPF nor DKIM align with the 'From' domain. DNS records for DKIM must be accurate, and even email formatting violations can impact authentication.

Key findings

  • Domain Alignment: DKIM failures can occur if the signing domain doesn't match the 'From' address domain.
  • DMARC Alignment: DMARC failures arise when neither SPF nor DKIM authentication align with the domain in the 'From' address.
  • Incorrect DNS: Incorrect DNS records for DKIM are a common cause of failure.
  • Email Formatting: Email formatting issues, like RFC 822 violations, can cause DKIM failures.

Key considerations

  • Verify Domain Alignment: Ensure the signing domain in the DKIM signature matches the domain in the 'From' address.
  • Check SPF and DKIM Alignment: Confirm that both SPF and DKIM authentication align with the domain in the 'From' address for DMARC compliance.
  • Validate DNS Records: Ensure DKIM DNS records are accurate and match the ESP's specifications.
  • Email Formatting Compliance: Adhere to email formatting standards like RFC 822 to avoid authentication issues.
Technical article

Documentation from DMARC.org details that DMARC failures arise when neither SPF nor DKIM authentication align with the domain in the 'From' address. Even if one passes, it must align. Alignment issues cause rejections.

February 2022 - DMARC.org
Technical article

Documentation from RFC 822 responds that certain email formatting issues, such as violations of RFC 822 standards (e.g., malformed headers), can cause issues with email authentication, including DKIM failures.

August 2023 - RFC 822
Technical article

Documentation from Mailjet responds that incorrect DNS records for DKIM are a common cause of failure. The DNS record must exactly match what the ESP (SFMC) provides, and DNS propagation delays can temporarily cause issues.

January 2022 - Mailjet
Technical article

Documentation from Salesforce explains that DKIM failures can occur if the signing domain in the DKIM signature doesn't match the domain in the 'From' address. Proper domain alignment is necessary for DKIM to pass DMARC checks.

April 2024 - Salesforce Documentation

Related resources
5Resources

DMARC fail? Here's what it means and how to fix it - Valimail
DMARC fail? Here's what it means and how to fix it - Valimail

Struggling with a DMARC fail? Learn what it means when DMARC fails and discover practical steps to fix the issue and ensure your emails reach their destination.

Valimail -
What You Need To Know About DKIM Fail | EasyDMARC
What You Need To Know About DKIM Fail | EasyDMARC

DKIM fail (DKIM Signature Body Hash Not Verified, Result: "fail") can negatively impact deliverability. Read the article to learn more.

EasyDMARC
Salesforce Email Deliverability Tips: BCC Email, SPF, DKIM, DMARC
Salesforce Email Deliverability Tips: BCC Email, SPF, DKIM, DMARC

Salesforce Email Deliverability: Ensure your emails reach the inbox by mastering Compliance BCC, SPF, DKIM, DMARC, and Email Relay settings.

Salesforce Ben
SMTP Email Error 554 5.0.0 | Fix your remote server issues
SMTP Email Error 554 5.0.0 | Fix your remote server issues

Wave goodbye to SMTP Error 554 5.0.0! Check out our step-by-step guide to fix this error on Gmail, Outlook, Yahoo, and more. See how Warmy.io can help keep your email reputation strong.

Warmy Blog
Top 10 Marketing Cloud Mistakes (and How to Avoid Them ...
Top 10 Marketing Cloud Mistakes (and How to Avoid Them ...

Salesforce Marketing Cloud MVP Eliot Harper identifies the top ten Marketing Cloud mistakes and gives suggestions on how to avoid them.

CloudKettle

Related questions