Common DNS DKIM SPF DMARC Errors

Managing your DNS, DKIM, SPF, and DMARC records can be a daunting task, especially if you are looking for an error in your configuration that can effect the flow of Email for your Domain. Today I am going to walk through each of these settings and take a look at some of the common errors, that can be overlooked very easily.

Common DKIM Errors

DKIM is a combination of Private and Public keys used to authenticate a email sender for a Domain. Generally these are provided by the server(s) that send mail for your domain such as Google, Microsoft, Sendgrid, Mailjet etc. To set this DNS record, server owners copy-paste the key into the configuration window. In that process they often introduce whitespace or newline characters which breaks the public key, which in turn can break the authentication.

Even though you may run a number of DKIM tests, the results may or may not show the error. You may even have to re-install your DKIM keys to get them to work properly.

A good rule of thumb we like to do is copy the key to a non-formatting text editor such as notepad, notepad ++ , or gedit in Linux. Copy and pasting from one email to another, or to a word document is a big mistake as these often contain formatting such as incorrect separators, escape or quote characters, spaces and hard returns and other formatting that can create an error in your DKIM keys.

Sample DKIM Key

"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKK68hawSd8zpsDz77ntGCR0X2mHVvkf0WEOIqaspaG/A5IGxieiWer+wBX8lW2tE4NHTE0PLhHqL0uD2sif2pKoPR3Wr6n/rbiihGYCIzvuY4/U5GigNUGls/QUbCPRyzho30wIDAQAB"

Other Common DKIM Errors

  • DKIM signature domain and sender domain do not align;
  • DKIM public key record, published in DNS, is incorrect or is not published at all;
  • The sender’s domain DNS zone is unreachable for lookup or too slow of a response usually due to unicast DNS hosting, which is quite common for poor hosting providers;
  • The length of the DKIM key, used for signing, is too short. At a minimum, you should be using 1024 bit keys. Google and other ESPs consider keys smaller than 1024 bits insecure, and will not use them for verification;
  • There were modifications in the message body during auto-forwarding cases;

Common SPF Errors

Some Common SPF Errors are ...

  • Never Use CAPS on SPF - spf records should always be lowercase
  • Watch for Spaces - Incorrect Spaces and Double-spaces can result in a error in your spf records
  • Overlimit of 10 DNS lookups in SPF Record
  • Overlimit of 255 Characters in SPF Record

Sample SPF Record

"v=spf1 mx ip4:104.131.221.10 include:_spf.google.com include:spf.mailjet.com ~all"

Common DMARC Errors

Some Common DMARC errors are ...

  • v=DMARC1; - The string “DMARC” must always appear in capital letters, everything else should be lowercase
  • semi-colon - always separate entries with a ";" semi-colon.
  • sending dmarc reports to an email address not authorized to accept dmarc reports. In order to accept DMARC Reports you must have external domain verification (EDV) set up on your domain.

Sample DMARC Record

"v=DMARC1; p=reject; rua=mailto:[email protected]"

Common Return-Path header Errors

Return-path is a hidden email header that indicates where and how bounced emails will be processed. This header, also referred to as a bounce address or reverse path, is an SMTP address that is separate from your original sending address, and is used specifically for collecting and processing bounced messages.

The return-path is added to preserve the value of the SMTP MAIL FROM command. So, it is the mailbox provider (for example Mailjet, Google, Hotmail, Yahoo) that adds the return-path header.

Google Calendar is a good example of this. Google calendar adds a Return-Path address similar to this...

Return-Path: 3dQwoiuenPA_gsjfkdsfwqqnslx.htrwtswtsgnqqnslx.htr@calendar-server.bounces.google.com

This will cause your DMARC to fail, as google is not in the same domain as your company (company.com) . Organizations are waiting for Google to fix this last aspect of functionality that doesn’t take advantage of the fact that a Google Suite customer has configured Google Suite to use their own domain.

More Reading on Return-Path issues...

Clustered Networks

Located in Edmonton, AB Canada, Clustered Networks was Incorporated in 2001 and has offered Network / Internet and IT Consulting services for over 20 years. We offer personalized service! Call Us Today! - Click Here for our Contact Info

#common #spf #dmarc

Posted in Linux Network Admin Tips, Network Security Tips, Tech How To on Dec 13, 2021



Sync.com - Canadian Cloud Storage

Sync.com - Like Dropbox, but secure, and 100% private. and Hosted in Canada!

Signup and Get a $100 Credit!

pCloud Premium

pCloud is the BEST Linux Cloud Storage Provider!


Server Backup at just $7 per month!

HetrixTools offers Free Uptime and Blacklist Monitoring - Clustered Networks Recommended!


Our Recommended VPN Service - Signup for Discount!


Support our Site!
Buy us a Coffee!