DKIM & DMARC errors

For several years, I’ve been putting up with various DKIM/DMARC errors since switching my services over to Cloudflare.
I found an old support ticket from my web host about this and they said that some record contained incorrect/incompatible characters (?) and I was hoping you would be able to resolve this, please?

I can send some of the DMARC and DKIM error emails as examples, if that would be helpful.

Thanks in advance,
Dax.

(P.S. I’m not sure how asking this question in an open forum will be useful since I can’t publicly divulge information pertinent to the case, but as a free customer, I don’t have any other choice.)

Could you test your email with https://www.mail-tester.com and link the result here?

You absolutely can. All the information for DKIM and DMARC needs to be public anyway. That is, whenever you send an email to someone, they can see all that I’m asking you to share.

4 Likes

Hi @dax3

I can see you have several domains in your account holding DKIM and DMARC records. Are they failing in all domains?

If not then you should compare the faulty records what the corrects where you do not see these issues.

In this documentation you will see the different record types and their syntax: DNS record types · Cloudflare DNS docs

Hi @Laudian, thanks for that information. It speaks to how little I know about the problem (and how to solve it!)

I ran the test and first time got this (/test-cyzb4w0ci), then went into my email signature, removed the dead link (Twitter, lol) and added alt text for the 2 images. I then started a new test (/test-pye09hpjz`), but this time got a worse score, even with more text added to the body of the email. (What’s going on there?)

Despite the results looking good, I still receive 2-3 various error emails per week with subjects such as Report domain: puzzlefactory.uk Submitter: google.com Report-ID:... and others from outlook, yahoo.

I also hear reports from clients that emails sent from my wordpress installation (invoices) end up in their spam folder, despite using the same email address I use personally (which don’t get flagged as spam, even when I’m forwarding the exact same email contents).
Again, this may speak to my inexperience with these matters.

Hi @louise2, thanks so much for your reply.
I have several domains, but I only email from one of them.

As in, I may be conflating the DMARC error emails with spam-delivered emails from my WP invoicing platform.

Don’t worry about the spam score too much. I was really just interested in the authentication part of the test, which looks perfect.

Two things:

These aren’t necessarily errors. You will receive DMARC reports for both rejected and accepted emails. DMARC is a kind of email feedback system.
More importantly, you will receive feedback when others try to fake your email address, in which case an error is absolutely what you want to see in the report.
You receive these emails because your email address is listed in your DMARC record.

dig +short _dmarc.puzzlefactory.uk txt
"v=DMARC1; p=quarantine; rua=mailto:[email protected],mailto:[email protected]"

You should really remove your own email address from that record so you don’t get spammed. It is enough that the reports are sent to Cloudflare, where you can see aggregate reports under Email → DMARC Management.

When testing your email, it is important that you test each method independently, as configuration errors in Wordpress might affect your deliverability.
So, if you have problems with Wordpress Emails, you should perform the test from mail-tester via an email sent from Wordpress. If you can, just send an example invoice.

1 Like

Ahh okay, great. Thank you so much for sharing you experience on this issue.

[quote=“Laudian, post:8, topic:607563”]
More importantly, you will receive feedback when others try to fake your email address, in which case an error is absolutely what you want to see in the report.[/quote]
So does that mean it’s been successfully faked and some poor sucker has received a spam email supppsedly from me? Or has it been refused.

That email address is a kind of spam-trap anyway, I created it exclusively to avoid using my primary address, but thank you. Now that I know the reports are collected elsewhere, I’ll update the record. (Cloudflare setting somewhere?)
Is there any value in checking these reports? I guess there’s nothing I can do about thek anyway, right?

Ahh, that’s a good shout, I’ll test that now. (And though it’s off-topic, I’ll post the tesults here now that we’re down the rabbit hole. :joy: :rabbit::cyclone:)

Well, I’m stumped as to why my WordPress-originated emails are sometimes going to spam. I sent one from there and got a score of 9.5. :person_shrugging::person_shrugging::person_shrugging:

It is not uncommon for (especially larger) providers to provide some redundancy for their email servers, and spread their email sending over multiple IP addresses.

This one was delivered by 116.90.2.133 (out116-133-vmse03.mailcluster.com.au) to mail-tester.com

This one was delivered by 116.90.5.51 (out116-51-vmse02.mailcluster.com.au) to mail-tester.com

Both you and all the other customers of e.g. mailcluster.com.au will share the two IP addresses mentioned above, and likely, a lot of others, given how widely spread out these two IP addresses are, when you’re sending emails.

If some other customer has sent something, to e…g Google/Gmail, Microsoft Office 365 / Outlook, or Yahoo recently, which they believed is junk, they may have applied some (hopefully: temporary) mitigations on these IP addresses (or even on the complete IP ranges they are a part of).

The next time when you send a message, and it is (unfortunately, and likely randomly) being delivered by one of mailcluster.com.au’s IP addresses where the destination have such mitigations in place, you may eventually suffer the consequences of someone else’s (bad) action.

The above could be an explanation to why it may sometimes appear one way, and sometimes in another.

Sounds like the WordPress message is also perfectly authenticated according to the screenshot.

If you open the third one, “You’re properly authenticated”, and verify that you see that your DKIM signature is valid, and that if open the third one, which is likely named “Your message passed the DMARC test”, and you’re seeing something like:

    mail-tester.com; dmarc=pass header.from=puzzlefactory.uk
    mail-tester.com; dkim=pass (2048-bit key; unprotected) header.d=puzzlefactory.uk [email protected] header.b=lKhA/0ZW; dkim-atps=neutral

    From Domain: puzzlefactory.uk
    DKIM Domain: puzzlefactory.uk

Then your WordPress’s email authentication should be perfectly fine too.

Both of the above mentioned tests contains a lot of images, but literally next to no text at all, which will trigger some (if not most, or even all) spam filters, since it has been a well known practice to try to hide junk text in images, to try to evade spam filters.

I would look at limiting / reducing the amount of images to a bare minimum.

You got four images on the above two tests, that are all linking to the same website.

The first, the third, and the fourth images, … do you really need them?

I can :+1: to this, for the above two tests, it looks perfectly fine (regarding DKIM and DMARC).

The DMARC rua reports will send aggregate statistics about email messages that are passing authentication, as well as those that are failing, so it will actually be both.

If you’re sending email using, for example three different providers, but your email authentication hasn’t been properly configured on one of these providers, the DMARC reports can help you identify that.

You can then talk to your email provider, and ask them for further assistance, regarding how you can get it configured properly with them.

A good part of the discrepancy between the two tests appears to be signalling some serious misconfiguration on mail-tester.com’s end.

That be, assuming mail-tester.com is attempting to run their service legitimately.

1 Like