By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Emails sent from Amazon SES sometimes (rarely) fail DKIM

0

We're using Amazon SES to send email messages with Easy DKIM to sign emails automatically. We've published our DMARC policy with Cloudflare. It includes p=reject option.

We're using a DMARC analyzer service to analyze DMARC reports. We noticed that a small percent of all emails fail DKIM and DMARC, for unknown reasons.

For example, in the last 3 months, we sent 18,083 emails using Amazon SES. 16 of those emails failed DKIM verification.

It might be interesting to note that those 16 emails were sent from different Amazon SES IP addresses. For example a single IP address sent 646 emails in the last 3 months. 2 of those failed DKIM verification.

Out of those 16 failures, 9 were reported by Google and 7 by Enterprise Outlook.

Also, we had the most reports on March 26 (8 failures) with 1 or 2 failures on March 4th, 18th and 25th, April 12th and 18th and May 3rd.

So the only possible clue we have so far is a bit higher number of failures on March 26th, which could be accidental.

What could be the reason for these failures? Where can we look further? As far as we're aware, this is not a configuration issue, but we're stuck at the moment.

Topics
Front-End Web & MobileBusiness Applications
Tags
Amazon Simple Email Service
Language
English
Strika
asked a month ago77 views
1 Answer
0

Typically, DKIM failures appearing in DMARC reports are due to messages being forwarded from the original recipient (e.g. an alias expansion, or mailing list) and then on to a final recipient or set of recipients.

A quality DMARC analysis service should help you detect this scenario through patterns in SPF domain misalignment. For example, if all of the messages are originating from SES, you may see all of the failures occurring from messages sent from Office 365's SPF zone.

Forwarding servers can fix this by rewriting the From address using a domain they own DNS and can apply their own domain-aligned DKIM signature.

Domain owners who cannot tolerate messages failing delivery due to a prevalence of forwarding should not publish a 'reject' or 'quarantine' policy.

AWS
Jesse_T
answered 21 days ago
  • Strika
    19 days ago

    Thank you for answering, Jesse_T. However, forwarding is not the issue here. We have forwarded emails reported separately. For these emails, DKIM verification passes, SPF is not aligned, but DMARC passes.

    The problem with emails that I mentioned in my question is that they actually fail DKIM. I don't think they are forwarded.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content