Why does Aboutmy.email show no DKIM signature but other tools validate DKIM? How do SPF alignment and DMARC work?

Summary

Aboutmy.email shows no DKIM signature because it checks the actual email header, while other tools may only check DNS records for a DKIM record. If there's no DKIM-Signature header, the email system isn't signing messages, even if the public key is published. DKIM adds digital signatures for verification, and if keys don't match, DKIM fails. SPF helps prevent spoofing by verifying the sending IP against authorized IPs. SPF alignment refers to the 'Mail From' matching the 'From' header, impacting DMARC, which builds upon SPF and DKIM, allowing domain owners to set policies (none, quarantine, reject) for unauthenticated emails. DMARC has strict (exact match) and relaxed (organizational domain) alignment modes. Organizational domains align subdomains to the root for relaxed SPF. Incorrect SPF configuration can mark legitimate emails as spam. DKIM verification failure occurs if content is modified, the signature is malformed, or the DNS record is incorrect. DMARC failure leads to rejection, quarantining, or delivery based on the DMARC policy.

Key findings

  • DKIM Verification: Aboutmy.email verifies DKIM by checking email headers; other tools may only check DNS records.
  • DKIM Signing: The DKIM-Signature header must be present for DKIM to pass; publishing the public key is not sufficient.
  • SPF Purpose: SPF prevents spoofing by authorizing sending IPs.
  • DMARC Policy: DMARC builds upon SPF and DKIM to establish policies for handling unauthenticated emails.
  • DMARC Alignment: DMARC alignment modes include strict (exact domain match) and relaxed (organizational domain).
  • Organizational Domains: Organizational domains are used in relaxed SPF alignment.
  • SPF Configuration: Incorrect SPF configuration can result in legitimate emails being marked as spam.
  • DKIM Failure Causes: DKIM can fail due to content modification, a malformed signature, or an incorrect DNS record.

Key considerations

  • Email authentication testing: Use an email authentication testing tool that analyses email headers to confirm DKIM validity.
  • Ensure DKIM Singing: Ensure your ESP or mail system is signing your emails with DKIM.
  • SPF configuration: Carefully configure SPF to authorize sending IPs.
  • DMARC policy: Establish a DMARC policy to handle unauthenticated emails.
  • DMARC alignment mode: Consider the impact of strict versus relaxed alignment modes.
  • Organizational domain for DMARC: Consider organizational domain when configuring DMARC
  • DKIM trouble shooting: If DKIM is failing check for record and signature errors.

What email marketers say
9Marketer opinions

Aboutmy.email may show no DKIM signature when other tools validate it because it checks the actual email header, while some tools only check the DNS record. DKIM relies on matching cryptographic keys, and SPF involves properly configuring DNS records. DMARC builds upon SPF and DKIM by allowing domain owners to set policies for handling authentication failures, including options to monitor, quarantine, or reject emails. DMARC alignment modes (strict and relaxed) affect how closely the 'From' domain must match the SPF or DKIM domains. DKIM failures can occur due to content modification, malformed signatures, or incorrect DNS records. Incorrect SPF configuration can lead to legitimate emails being marked as spam.

Key opinions

  • DKIM Validation: Aboutmy.email validates DKIM by checking the email header, offering more precise results than tools that only review DNS records.
  • DMARC Policy: DMARC policies dictate actions for emails failing SPF and DKIM, ranging from monitoring to quarantining or rejecting messages.
  • SPF Configuration: Correct SPF configuration ensures that authorized IP addresses are listed in DNS records to prevent emails from being marked as spam.
  • Alignment Modes: DMARC uses strict and relaxed alignment modes for SPF and DKIM, affecting how closely domains must match.
  • DKIM Failure Causes: DKIM failures can result from email content changes, malformed signatures, or DNS record issues.

Key considerations

  • Authentication Method: Use a tool that analyzes email headers to check for the DKIM signature like Aboutmy.email.
  • DMARC Implementation: Implement a DMARC policy to handle emails that fail authentication based on your organizations needs.
  • SPF Setup: Ensure that authorized IP addresses are listed in the correct DNS records.
  • DMARC Alignment: Understand the implications of strict and relaxed DMARC alignment on your email deliverability.
  • DKIM Troubleshooting: Monitor your emails to check for problems like content alteration or incorrect DNS settings.
Marketer view

Email marketer from AuthSMTP shares that properly configuring SPF involves creating a DNS TXT record that lists all authorized IP addresses that can send email on behalf of your domain. Incorrectly configured SPF can cause legitimate emails to be marked as spam.

December 2023 - AuthSMTP
Marketer view

Email marketer from StackOverflow explains that a DKIM verification failure could occur if the email content is modified after signing, if the DKIM signature is malformed, or if the DNS record containing the public key is incorrect or unavailable. Aboutmy.email might be more sensitive to these issues.

March 2024 - StackOverflow
Marketer view

Email marketer from SendGrid explains that DMARC allows domain owners to specify a policy that tells receiving mail servers what to do with messages that fail SPF and DKIM checks. The policy can be set to 'none' (monitor), 'quarantine' (mark as spam), or 'reject' (block delivery).

July 2024 - SendGrid
Marketer view

Email marketer from Postmark shares that DMARC uses two alignment modes for SPF and DKIM: strict and relaxed. Strict alignment requires an exact match between the domain in the 'From' header and the domain used for SPF or DKIM. Relaxed alignment allows for subdomain matching.

October 2023 - Postmark
Marketer view

Email marketer from Mailjet shares that some DKIM validation tools might be looking at the DNS record but not the actual email header. Aboutmy.email checks the actual email header for the DKIM signature, providing a more accurate assessment of whether the email was properly signed during sending.

May 2021 - Mailjet
Marketer view

Email marketer from EasyDMARC explains that if SPF and DKIM both fail to align with the 'From' domain, DMARC will likely fail, causing the email to be rejected, quarantined, or delivered to the inbox depending on the DMARC policy set by the domain owner.

November 2024 - EasyDMARC
Marketer view

Email marketer from SparkPost shares that DKIM relies on cryptographic keys to verify the authenticity of an email. The sending server uses a private key to sign the email, and the receiving server uses the corresponding public key (published in the domain's DNS record) to verify the signature. If keys don't match, DKIM fails.

October 2022 - SparkPost
Marketer view

Email marketer from Reddit shares that DMARC builds upon SPF and DKIM to provide a policy for handling emails that fail authentication. It allows domain owners to specify what receiving mail servers should do with unauthenticated mail (reject, quarantine, or none).

August 2021 - Reddit
Marketer view

Email marketer from Email Hippo says that different tools might validate email authentication differently. Some tools might only check for the presence of a DKIM record in DNS, while others, like Aboutmy.email, analyze the actual email headers to confirm the DKIM signature is present and valid.

November 2022 - Email Hippo

What the experts say
4Expert opinions

Aboutmy.email checks the actual email header for a DKIM signature, while other tools might only check for the presence of a DKIM record in DNS. If the DKIM-Signature header is missing, the mail system isn't signing emails even if the DKIM public key is published. SPF doesn't have alignment concepts. DMARC defines strict (exact match) and relaxed (organizational domain) alignment. Organizational domains align subdomains with the root domain for relaxed SPF alignment, affecting DMARC evaluation.

Key opinions

  • DKIM Verification Method: Aboutmy.email verifies DKIM by examining the email header, while other tools may rely solely on DNS records.
  • DKIM Signing Requirement: A missing DKIM-Signature header indicates the email system is not signing emails, irrespective of public key publication.
  • DMARC Alignment Types: DMARC defines alignment between hostnames in two forms: strict (exact match) and relaxed (organizational domain).
  • Organizational Domains: Relaxed SPF alignment uses organizational domains, aligning subdomains with the root domain.

Key considerations

  • Ensure DKIM Signing: Verify the email system is configured to sign emails, beyond just publishing the DKIM public key.
  • Understand Alignment: Grasp the difference between strict and relaxed DMARC alignment to make informed policy decisions.
  • Organizational Domain Implications: Consider the impact of organizational domains on DMARC evaluation when using relaxed alignment policies.
  • Email Authentication Method: Choose an email authentication tool that analyse the email headers to confirm the DKIM is signed and valid.
Expert view

Expert from Email Geeks explains that the two hostnames share the same organizational domain. Therefore, they are aligned.

July 2024 - Email Geeks
Expert view

Expert from Email Geeks explains that if there is no DKIM-Signature header, then the mail system has not been set up to sign the mail, even if the DKIM public key is published correctly. He suggests contacting the ESP to enable signing. Most DKIM tools only check what you tell them, whereas aboutmy.email checks the actual mail being sent.

October 2021 - Email Geeks
Expert view

Expert from Word to the Wise explains that organizational domains are used in relaxed SPF alignment, meaning subdomains are considered aligned with the root domain. This impacts DMARC evaluation when using relaxed alignment policies. This is detailed in the post about organizational domains, not specifically in a Q&A format.

March 2025 - Word to the Wise
Expert view

Expert from Email Geeks explains that SPF itself has no concept of alignment, but DMARC defines two types of alignment between hostnames: strict (exact match required) and relaxed (sharing an organizational domain).

July 2023 - Email Geeks

What the documentation says
4Technical articles

Aboutmy.email showing no DKIM signature implies the email wasn't signed at sending. DKIM adds a digital signature to emails, verifying their authenticity and integrity. SPF alignment ensures the 'Mail From' domain matches the 'From' header domain, which DMARC uses for legitimacy assessment. SPF prevents spoofing by validating sending IP addresses against authorized lists, while DKIM verifies message authenticity via digital signatures.

Key findings

  • DKIM Signature Absence: Absence of a DKIM signature in Aboutmy.email indicates the email wasn't signed during transmission.
  • DKIM Functionality: DKIM provides a digital signature to verify the authenticity and integrity of email messages.
  • SPF Alignment Importance: SPF alignment, where the 'Mail From' and 'From' domains match, is a key factor in DMARC's legitimacy checks.
  • SPF Anti-Spoofing: SPF prevents email spoofing by validating sending IP addresses against a list of authorized IP addresses published in the domain's DNS record

Key considerations

  • Ensure DKIM Signing: Ensure that emails are properly signed with DKIM before sending to ensure authentication.
  • Verify SPF Alignment: Confirm that SPF alignment is correctly configured to enhance email legitimacy.
  • IP Address Authorization: Ensure only authorized IP addresses are sending emails.
  • DKIM Record Validation: Regularly validate DKIM records.
Technical article

Documentation from Microsoft explains that SPF prevents spoofing by verifying the sending IP address against a list of authorized IP addresses published in the domain's DNS record. DKIM adds a digital signature to the email header, allowing recipient servers to verify the message's authenticity.

October 2021 - Microsoft
Technical article

Documentation from DMARC.org explains that SPF alignment refers to whether the domain used in the 'Mail From' or 'Return-Path' address (the envelope sender) matches the domain in the 'From' header (the visible sender). DMARC uses SPF alignment as one factor in determining whether an email is legitimate.

August 2023 - DMARC.org
Technical article

Documentation from RFC Editor specifies that DKIM permits a signing domain to associate its identity with a message by means of a digital signature. Recipient systems can verify this signature to confirm that a message has not been modified during transit and that it truly originated from the claimed sender.

December 2023 - RFC Editor
Technical article

Documentation from Google explains that DKIM adds a digital signature to outgoing email messages. Receiving servers use this signature to verify that messages are genuine and haven't been altered during transit. If Aboutmy.email shows no DKIM signature, it means the email wasn't signed when it was sent.

September 2024 - Google