Why does DKIM authentication sometimes fail with certain ISPs or receivers like Barracuda and Proofpoint?

Summary

DKIM authentication failures can stem from various factors. Security solutions like Barracuda and Proofpoint, often deployed in front of destination domains, may alter email content, impacting DKIM validity. Email forwarding, especially through mailing lists, modifies headers/body, thus invalidating the DKIM signature. Filters should verify DKIM before modifying the email body. Interoperability problems can arise from senders' practices violating protocol standards. Incorrect DNS configurations, character encoding issues, and problems with the DKIM key itself are other potential causes. ARC (Authenticated Received Chain) helps preserve authentication across hops if filters trust the results. DMARC policies are strict with DKIM and SPF alignment. The root cause of these problems need to be understood to ensure the best deliverability.

Key findings

  • Security Solutions Interference: Barracuda, Proofpoint, and similar solutions modify email content, invalidating DKIM signatures.
  • Forwarding Issues: Email forwarding modifies headers and bodies, breaking DKIM.
  • Verification Timing: Filters should verify DKIM before altering the message.
  • Interoperability Concerns: Protocols violations, can lead to DKIM failures.
  • Configuration Problems: Inaccurate DNS configuration can cause DKIM to fail.
  • DMARC Policies: DMARC's stricter adherence leads to messages marked as spam more readily.
  • ARC Solution: ARC is a potential solution if filters trust it.

Key considerations

  • Whitelist IPs: To preserve alignment, it may be required to whitelist IPs.
  • Correct Protocols: Ensure there are no protocol violations.
  • Check DNS Settings: Ensure DNS settings are correct for DKIM configuration.
  • Adopt ARC: Adopt ARC where possible to preserve signature.
  • DMARC Policy: Understand the relationship between DKIM and DMARC to avoid failures.

What email marketers say
11Marketer opinions

DKIM authentication failures can occur for several reasons, particularly when dealing with certain ISPs and receivers like Barracuda and Proofpoint. These failures often stem from modifications made to email content during transit by intermediaries, such as security gateways that alter URLs or add disclaimers. Incorrect DNS configuration, character encoding issues, and problems with the DKIM key itself also contribute. Forwarding emails, especially through mailing lists, can invalidate DKIM signatures due to header or body modifications. While a passing SPF record may sometimes mitigate the impact, it is crucial to ensure both SPF and DKIM pass for optimal deliverability, especially with stricter DMARC policies. Solutions like ARC (Authenticated Received Chain) and whitelisting sender IPs can help address these issues.

Key opinions

  • Content Modification: Email security gateways like Proofpoint and Barracuda often modify email content (URLs, disclaimers), invalidating the DKIM signature.
  • Indirect Mail Flows: Forwarding through mailing lists modifies headers/body, breaking DKIM signatures.
  • DNS Issues: Incorrect DNS configuration is a common cause of DKIM failures.
  • Character Encoding: Character encoding problems during transmission can change the message hash, leading to DKIM failures.
  • DMARC Impact: Gmail and other major ISPs are stricter with DMARC policies; DKIM failures coupled with SPF misalignment increase the likelihood of spam or blocking.

Key considerations

  • Monitor DKIM Reports: Regularly monitor DKIM reports to identify and resolve issues.
  • Whitelist IPs: Whitelist sender IPs in security gateways like Proofpoint and Barracuda.
  • Implement ARC: Implement ARC (Authenticated Received Chain) to preserve authentication results across multiple hops.
  • Check DNS Records: Ensure DNS records are correctly configured for DKIM.
  • Ensure SPF and DKIM Pass: Aim for both SPF and DKIM to pass for optimal deliverability, especially with strict DMARC policies.
Marketer view

Email marketer from an Email Marketing Forum explains that sometimes DKIM failures are seen as less important if SPF is passing. However, for maximum deliverability, both SPF and DKIM should pass. They suggest checking DNS records for errors.

June 2024 - Email Marketing Forum
Marketer view

Email marketer from Mailhardener shares that ARC (Authenticated Received Chain) is designed to address DKIM failures in forwarding scenarios by preserving authentication results across multiple hops. ARC allows receiving servers to trust the original authentication status even if the DKIM signature is broken by an intermediary.

November 2024 - Mailhardener
Marketer view

Marketer from Email Geeks explains that Mimecast can "explode" messages, which can break DKIM authentication.

February 2022 - Email Geeks
Marketer view

Email marketer from StackOverflow responds that DKIM failures can happen if there are character encoding problems. If the message changes from UTF-8 to something else during transmission, it will change the hash and the signature will fail.

June 2023 - StackOverflow
Marketer view

Email marketer from Reddit's r/emailmarketing forum shares that email security gateways like Proofpoint and Barracuda often modify email content (e.g., adding disclaimers or rewriting URLs) which then invalidates the DKIM signature. The user recommends whitelisting sender IPs if possible.

February 2022 - Reddit
Marketer view

Marketer from Email Geeks explains that part of the setup process involves whitelisting the Proofpoint IPs to prevent DKIM alignment issues.

November 2023 - Email Geeks
Marketer view

Marketer from Email Geeks shares that TAP (Targeted Attack Protection from Proofpoint) can cause DKIM failures when passing through a spam filter.

January 2022 - Email Geeks
Marketer view

Email marketer from Quora answers that Gmail and other major ISPs are now much stricter with DMARC policies. If DKIM fails and SPF isn't properly aligned, messages are much more likely to go to spam or be blocked, especially if the sending domain has a strict DMARC policy.

March 2023 - Quora
Marketer view

Email marketer from EasyDMARC responds that common reasons for DKIM failures include incorrect DNS configuration, modifications to the message content during transit, and issues with the DKIM key itself. They emphasize the importance of regularly monitoring DKIM reports to identify and resolve these issues.

July 2024 - EasyDMARC
Marketer view

Email marketer from Valimail explains that DKIM failures often occur in indirect mail flows (e.g., forwarding lists) due to modifications made by intermediaries. This breaks the DKIM signature and can lead to deliverability issues.

February 2023 - Valimail
Marketer view

Marketer from Email Geeks explains that Barracuda and Proofpoint are usually deployed as a layer in front of the destination domain and can alter content, potentially affecting DKIM authentication.

July 2022 - Email Geeks

What the experts say
5Expert opinions

DKIM authentication failures can arise for various reasons, often pointing to underlying deliverability issues. A core principle is that filters should ideally verify DKIM signatures before modifying email bodies. Consistent failures with specific MTAs may signal interoperability problems, where certain sender practices, while acceptable to some, technically violate protocol standards. Email forwarding, particularly via mailing lists, commonly alters headers or bodies, thus invalidating DKIM signatures. Addressing these issues often involves understanding the root cause and working with ESP support. ARC (Authenticated Received Chain) is frequently proposed as a solution to preserve authentication results across multiple email hops, provided that filters reliably trust ARC results.

Key opinions

  • Verification Timing: Sensible filters should verify DKIM signatures before modifying the email body.
  • Interoperability Issues: Consistent DKIM failures at specific MTAs may point to interoperability problems or protocol violations.
  • Forwarding Impact: Email forwarding modifies headers/body, invalidating DKIM signatures.
  • ARC Solution: ARC can help preserve authentication results during forwarding, assuming filters trust the results.
  • Deliverability Symptom: Authentication failures are often symptoms of larger deliverability problems.

Key considerations

  • Investigate Cause: Understand the root cause of DKIM failures and determine if the underlying issue can be resolved.
  • Seek ESP Support: Engage with your ESP's support team to troubleshoot DKIM-related problems.
  • Trust ARC Results: Ensure that email filters reliably trust ARC results for forwarded messages.
  • Address Protocol Violations: Review sending practices to identify and correct any technical protocol violations.
Expert view

Expert from Email Geeks states that any sensible filter should be doing DKIM verification _before_ they modify the body.

October 2023 - Email Geeks
Expert view

Expert from Email Geeks suggests ARC might be a useful solution to DKIM authentication issues, especially if filters trust the ARC results.

September 2024 - Email Geeks
Expert view

Expert from Email Geeks suggests that consistent DKIM failures at particular MTAs may indicate an interoperability problem, where the sender might be using practices that some MTAs accept but technically violate protocol.

July 2021 - Email Geeks
Expert view

Expert from Spam Resource responds that DKIM can fail when emails are forwarded, especially through mailing lists, because the forwarding process often modifies the message headers or body, thus invalidating the original DKIM signature. ARC can help solve this.

August 2024 - Spam Resource
Expert view

Expert from Word to the Wise explains that authentication failures, including DKIM, are often a symptom of deliverability problems. Understanding the cause, and if the cause can be changed is important. Often an ESP support team may be able to help solve DKIM related problems.

March 2024 - Word to the Wise

What the documentation says
3Technical articles

DKIM authentication failures can occur due to email forwarding, as the modification of message headers or the body by the forwarder invalidates the DKIM signature. ARC (Authenticated Received Chain) is crucial for preserving authentication results across multiple hops. DKIM failures can also lead to DMARC failures if the message doesn't align with SPF or other authentication mechanisms, potentially resulting in email rejection or being marked as spam. Changes made in transit, such as adding disclaimers or converting character encodings, also invalidate the DKIM signature, as outlined in the DKIM standard (RFC6376).

Key findings

  • Forwarding Issues: Email forwarding modifies message headers or body, invalidating the DKIM signature.
  • DMARC Dependency: DKIM failures can lead to DMARC failures if SPF alignment is missing, potentially resulting in email rejection.
  • Transit Modifications: Changes made in transit, such as adding disclaimers or converting character encodings, invalidate the DKIM signature.
  • ARC Importance: ARC is important for preserving authentication results across multiple hops, addressing forwarding issues.

Key considerations

  • Implement ARC: Implement ARC to ensure authentication validity across forwarding scenarios.
  • Ensure SPF Alignment: Ensure proper SPF alignment to mitigate the impact of DKIM failures on DMARC.
  • Minimize Transit Changes: Minimize changes made in transit to preserve DKIM signature validity.
  • Understand DMARC Policy: Understand how your DMARC policy will handle DKIM failures, especially with strict settings.
Technical article

Documentation from Microsoft Learn explains that DKIM failures can occur due to email forwarding, where the forwarder modifies the message headers or body, invalidating the DKIM signature. It highlights the importance of ARC (Authenticated Received Chain) to preserve authentication results across multiple hops.

August 2021 - Microsoft Learn
Technical article

Documentation from RFC Editor (RFC6376, the DKIM standard) explains that DKIM signatures can fail verification if the message body or headers are modified in transit. Changes made by intermediaries, such as adding disclaimers or converting character encodings, will invalidate the signature.

February 2025 - RFC Editor
Technical article

Documentation from DMARC.org clarifies that DKIM failures can lead to DMARC failures if the message doesn't align with SPF or other authentication mechanisms. DMARC relies on DKIM and SPF to verify the sender's identity, and a DKIM failure can cause the message to be rejected or marked as spam depending on the DMARC policy.

February 2025 - DMARC.org