If a sending source identified by DMARCwise shows a DKIM alignment percentage close to 0%, there are several possible reasons:

  • DKIM is failing (no signature, invalid signature, or wrong domain).
  • Your DMARC record has strict alignment enabled.
  • Your email service provider signs with a different DKIM domain than your From domain.
  • The emails have been forwarded (and the DKIM signature was modified or broken).
  • Your sender domain is being spoofed by an attacker.

Let’s go through them one by one.

Learn more about DKIM and alignment in Introduction to DKIM.

DKIM is failing

Achieving DKIM alignment requires the email to contain a valid DKIM signature using a domain aligned with your From domain.

To diagnose this, choose a source with DKIM alignment issues in your DMARCwise dashboard and check the DKIM column. You may see different results that signal a failure:

  • none means that the messages were not signed.
  • fail means that the messages were signed but the signature verification failed.
  • policy means that the messages were signed, but some aspect of the signature was not acceptable to the mail server.
  • neutral means that the message was signed, but the signature contained syntax errors or were not otherwise able to be processed.
  • temperror indicates that a transient error prevented the mail server from retrieving a public key (e.g. DNS failures).
  • permerror indicates that the message could not verified due to some error that is unrecoverable, such as a required header field being absent.

Depending on the result, a DKIM failure could mean that DKIM is not correctly set up or not signing messages for that provider.

If the DKIM domain belongs to an external provider or a hosted service, ensure that DKIM is properly configured within their console; editing DNS alone may not enable DKIM signing.

You can find practical information and instructions for the most popular email providers on DMARC.wiki, our directory of email providers and their DMARC compliance level.

Strict alignment in your DMARC record

If your DMARC record contains adkim=s (strict alignment), check whether the DKIM d= domain matches your organizational/sender domain exactly.

In the DMARCwise dashboard:

  • Choose a source with DKIM alignment issues.
  • Look at the domain inside the DKIM signatures (there may be more than one, check all of them).
  • If the DKIM domain is a subdomain of your main domain, strict alignment will fail.

You have two options to fix this:

  • Remove adkim=s to switch to relaxed DKIM alignment, allowing subdomains to align.
  • Reconfigure your email provider so that DKIM signs using your top-level organizational domain.

Not all providers allow you to choose the exact signing domain.

Provider uses a shared DKIM domain

Some email service providers sign outgoing messages using a shared DKIM domain that may not match your From domain. For example, Microsoft 365 uses a domain that looks like {tenant-name}.onmicrosoft.com by default.

For DKIM alignment in DMARC, the DKIM domain must align with your From domain.

To fix this, check whether your provider supports custom DKIM signatures, custom DKIM domains, or aligned DKIM.

Providers that do not support custom DKIM domains may not be capable of DKIM alignment. In those cases, you must rely on SPF alignment only to satisfy DMARC.

You can find practical information and instructions for the most popular email providers on DMARC.wiki, our directory of email providers and their DMARC compliance level.

Forwarded sources

If you see DKIM alignment failing only sporadically and none of the above explanations fit, the cause is often automated email forwarding.

While DKIM usually survives forwarding better than SPF, it can still fail due to:

  • Mail gateways modifying headers.
  • Mailing lists rewriting messages to add custom footers, unsubscribe links or alter the subject.
  • Security appliances injecting disclaimers or banners.

You will typically notice:

  • DKIM passing for direct messages.
  • DKIM failing for forwarded versions of the same messages.

You can safely ignore DKIM authentication issues caused by forwarding, as long as you also have aligned SPF set up.

Learn more about DKIM and how it can break in Introduction to DKIM.

Domain spoofing

If none of the above scenarios apply, you may have identified a case of domain spoofing.

For example, you may see emails signed with a DKIM domain that is not yours, or the emails contain no DKIM signature at all while they appear to come from your domain. This typically indicates an attacker spoofing your domain.

During DKIM-related spoofing attempts:

  • DKIM should always fail alignment or be missing, since the attacker cannot sign messages with your private key.
  • SPF may or may not pass depending on the infrastructure used.

In cases like this, it is recommended to move forward with DMARC enforcement to block impersonation attempts.