Why does Aboutmy.email show no DKIM signature but other tools validate DKIM? How do SPF alignment and DMARC work?
Summary
What email marketers say9Marketer opinions
Email marketer from AuthSMTP shares that properly configuring SPF involves creating a DNS TXT record that lists all authorized IP addresses that can send email on behalf of your domain. Incorrectly configured SPF can cause legitimate emails to be marked as spam.
Email marketer from StackOverflow explains that a DKIM verification failure could occur if the email content is modified after signing, if the DKIM signature is malformed, or if the DNS record containing the public key is incorrect or unavailable. Aboutmy.email might be more sensitive to these issues.
Email marketer from SendGrid explains that DMARC allows domain owners to specify a policy that tells receiving mail servers what to do with messages that fail SPF and DKIM checks. The policy can be set to 'none' (monitor), 'quarantine' (mark as spam), or 'reject' (block delivery).
Email marketer from Postmark shares that DMARC uses two alignment modes for SPF and DKIM: strict and relaxed. Strict alignment requires an exact match between the domain in the 'From' header and the domain used for SPF or DKIM. Relaxed alignment allows for subdomain matching.
Email marketer from Mailjet shares that some DKIM validation tools might be looking at the DNS record but not the actual email header. Aboutmy.email checks the actual email header for the DKIM signature, providing a more accurate assessment of whether the email was properly signed during sending.
Email marketer from EasyDMARC explains that if SPF and DKIM both fail to align with the 'From' domain, DMARC will likely fail, causing the email to be rejected, quarantined, or delivered to the inbox depending on the DMARC policy set by the domain owner.
Email marketer from SparkPost shares that DKIM relies on cryptographic keys to verify the authenticity of an email. The sending server uses a private key to sign the email, and the receiving server uses the corresponding public key (published in the domain's DNS record) to verify the signature. If keys don't match, DKIM fails.
Email marketer from Reddit shares that DMARC builds upon SPF and DKIM to provide a policy for handling emails that fail authentication. It allows domain owners to specify what receiving mail servers should do with unauthenticated mail (reject, quarantine, or none).
Email marketer from Email Hippo says that different tools might validate email authentication differently. Some tools might only check for the presence of a DKIM record in DNS, while others, like Aboutmy.email, analyze the actual email headers to confirm the DKIM signature is present and valid.
What the experts say4Expert opinions
Expert from Email Geeks explains that the two hostnames share the same organizational domain. Therefore, they are aligned.
Expert from Email Geeks explains that if there is no DKIM-Signature header, then the mail system has not been set up to sign the mail, even if the DKIM public key is published correctly. He suggests contacting the ESP to enable signing. Most DKIM tools only check what you tell them, whereas aboutmy.email checks the actual mail being sent.
Expert from Word to the Wise explains that organizational domains are used in relaxed SPF alignment, meaning subdomains are considered aligned with the root domain. This impacts DMARC evaluation when using relaxed alignment policies. This is detailed in the post about organizational domains, not specifically in a Q&A format.
Expert from Email Geeks explains that SPF itself has no concept of alignment, but DMARC defines two types of alignment between hostnames: strict (exact match required) and relaxed (sharing an organizational domain).
What the documentation says4Technical articles
Documentation from Microsoft explains that SPF prevents spoofing by verifying the sending IP address against a list of authorized IP addresses published in the domain's DNS record. DKIM adds a digital signature to the email header, allowing recipient servers to verify the message's authenticity.
Documentation from DMARC.org explains that SPF alignment refers to whether the domain used in the 'Mail From' or 'Return-Path' address (the envelope sender) matches the domain in the 'From' header (the visible sender). DMARC uses SPF alignment as one factor in determining whether an email is legitimate.
Documentation from RFC Editor specifies that DKIM permits a signing domain to associate its identity with a message by means of a digital signature. Recipient systems can verify this signature to confirm that a message has not been modified during transit and that it truly originated from the claimed sender.
Documentation from Google explains that DKIM adds a digital signature to outgoing email messages. Receiving servers use this signature to verify that messages are genuine and haven't been altered during transit. If Aboutmy.email shows no DKIM signature, it means the email wasn't signed when it was sent.