Monthly Archives: April 2026

Why monitor DMARC compliance? DKIM Compliance Changes

DKIM is an important part of DMARC compliance and your email delivery reputation. DKIM allows you to cryptographically sign your outbound email, taking ownership of the email you send out: in a sense, binding your email to your reputation. If your DKIM compliance suddenly drops, it could reduce acceptance of your email or move your email from the Inbox to the Junk folder.

The Issues

DKIM is by nature and design a bit finicky. The signature is encrypted using the message itself. Changes to the message after the initial send, either via forwarding or a separate gateway or other alteration of the message breaks the signature. Forwarding is the most common reason for a message to fail DKIM checks. Since forwarding is fairly common, you should expect to always have a less than perfect DKIM pass rate, however, properly configured SPF records should ensure DMARC compliance.

Another potential issue is also a maintenance requirement: rotating keys and/or selectors. It’s a best practice to modify security codes regularly to prevent malicious actors from having access to systems if existing codes get into the wild. When you change them, there is however, the potential to omit a sender or DNS record. In addition, there is potential for slow DNS propagation. This could result in a higher-than-normal DKIM failure rate.

A common issue with 3rd party senders is the use of their own DKIM domain. In this case, the sender does not support using your sending domain and DKIM signatures but only their own. Email from these senders will pass SPF checks if properly included in your SPF record but fail DKIM alignment.

Remedies

To detect and understand these and other potential DKIM issues, you must be monitoring changes to your SPF, DKIM and DMARC compliance rates through DMARC reporting. If you have significant email volume, this is impossible to do without a tool that aggregates your DMARC reports from multiple inbox providers to get a complete picture of your email.

How does MxToolbox Help?

 MxToolbox Delivery Center provides everything you need to manage and maintain DMARC compliance rates to maintain a solid email delivery reputation, including:

  • Setup SPF, DKIM and DMARC for your Domain
  • Carefully migrate to a DMARC Reject policy
  • Setup your BIMI record
  • Verify compatibility of your SVG image
  • Monitor your certificates for expiration
  • Manage the on-going changes to the DMARC, SPF, DKIM and BIMI standards

If this sounds complicated, MxToolbox also offers Managed Services team that can help you setup DMARC, DKIM, SPF, BIMI and get your domain aligned with Google, Yahoo! and Outlook.com bulk sender policies.

Why monitor DMARC compliance? Sudden drops in SPF Compliance

DMARC compliance is a big part of a good email delivery reputation, but simply adopting and configuring DMARC is not the end of the journey, you need to keep monitoring DMARC compliance. There are several reasons to keep a watchful eye on DMARC compliance rates and the underlying SPF and DKIM compliance rates. Let’s take a look at a few recent examples.

The Customer

We recently had a customer with a sudden drop in SPF compliance affecting their email reputation. It could only be detected through regular monitoring of SPF Authentication through aggregated DMARC reports from Inbox Providers. At the same time, there appeared to be an increase in email volume, however, seasonal variations in outbound email volume may make that difficult to track.

Troubleshooting

There could be several reasons for a change in SPF compliance: an alteration to the SPF record or one of its underlying included SPF records from 3rd party providers, a phishing attempt using the customer’s domain or a new email source. To troubleshoot an issue like this, you need to know who the actual Sender is.

DMARC reports contain details of sending IP addresses, but not the company name. MxToolbox Delivery Center aggregates DMARC reports from the Inbox Providers and then correlates IP addresses in these reports with our databases of known 3rd party senders to determine if they are risky or legitimate. If legitimate, then the sender could be missing from the SPF record or there could be an updated range of IP addresses the customer or 3rd party sender failed to include in the SPF record.

In this case, MxToolbox determined that the sender was MailChimp, a legitimate provider of marketing email. An internal investigation by our client found that a department had started using MailChimp without informing IT. Without MailChimp’s sending IP addresses in the SPF record, much of that email had been rejected. The other department had been puzzled by low campaign open rates, but, had not realized that it was due to the sender being absent from the SPF record. Continued SPF Authentication issues could escalate the reputation issue potentially causing blacklisting of those IPs or wholesale rejection of email from that sender.

Other Issues

Another reason SPF compliance could suddenly drop is phishing attempts using your domain. A bad actor can use your domain for phishing attempts, suddenly increasing the volume of email appearing to come from your domain. Phishing is a huge security threat for both your domain and your internal staff. Again, investigations require aggregated DMARC reports to understand and uncover the issue. The only way to prevent phishing is to adopt DMARC reject policies.

How does MxToolbox Help?

 MxToolbox Delivery Center provides everything you need to manage and maintain DMARC compliance rates, including:

  • Setup SPF, DKIM and DMARC for your Domain
  • Carefully migrate to a DMARC Reject policy
  • Setup your BIMI record to get your logo in the Inbox
  • Verify compatibility of your SVG image
  • Monitor your certificates for expiration
  • Manage the on-going changes to the DMARC, SPF, DKIM and BIMI standards

If this sounds complicated, MxToolbox also offers Managed Services team that can help you setup DMARC, DKIM, SPF, BIMI and get your domain aligned with Google, Yahoo! and Outlook.com bulk sender policies.

The SPF Struggle is real – What happened at reddit?

We’ve talked about SPF Limits and SPF Flattening in the past. There is simply too much demand to get into the SPF record. Whether it’s adding a new sender or an existing sender updating and include, senders sometimes necessarily and sometimes lazily add too many lookups into your SPF record. In fact, one well-known CRM goes so far as to write dynamic macros in their SPF record to avoid hitting the 10 include limit.

What is the issue?

Currently, reddit has published an SPF record with too many includes, meaning that during email delivery, the last includes to be checked are dropped. This could leave one or more of reddit’s legitimate senders appearing to be spam or phishing because email from these senders will fail SPF Authentication.

In addition, reddit is running a DMARC policy of “reject”. While it is up to the individual Inbox Provider, a DMARC reject policy instructs the recipient systems to reject email that is not DMARC compliant, which means trashing any email that fails SPF Authentication. Essentially, there is an unknown amount of email from reddit that cannot be delivered, potentially affecting accounts, customers, purchases, etc.

What can they do?

There are several ways to get your SPF record below the 10 lookup threshold:

  • Manual or Automatic SPF Flattening as discussed in our blog.
  • Reducing the number of senders.
  • Splitting email sending across multiple domains or subdomains with separate SPF records.

All of these options have pros and cons. Many senders do not want to lose the cache of their primary domain, some cannot consolidate vendors to reduce SPF complexity, and some SPF records cannot be easily manually flattened. Even if you get below the threshold today, vendors may add new includes to their SPF records tomorrow pushing you over the threshold again.

What’s going to happen?

With a proper DMARC reporting and management system, like MxToolbox Delivery Center, they should already be seeing SPF failures and working to fix their SPF record. In the short-term, reddit will see some of their email bounce, in the long-term, this could cause their domain to have serious reputation issues.

How can MxToolbox help?

You first need to know if you have a problem before solving it.  MxToolbox offers a Free SPF Lookup Tool where you can check your real-time SPF configuration for errors, including the risk of “Too Many Includes”.  We also have a suite of Email Delivery tools to help you manage DMARC, SPF and DKIM and get your email to the Inbox.