DKIM DMARC alignement fail for some messages


Can someone help me to understand why DKIM/DMARC alignement fail for 5 messages row n°1 since row n°2 seems identical and shows DKIM/DMARC aligned.

Thank you.


Row 1 was not DKIM signed and row 2 was DKIM signed. I wouldn’t consider that identical. It’s probably time to check your mail server logs and see what they tell you.

I mean all the field values are identical (From:domain, IP, PTR/Server,…).

I set debug mode log for DKIM on our Exchange server and there are recurrent messages “DEBUG: Message is a System message or of TNEF format. Not signing”.

Can this 5 messages not DKIM signed related to NDR or autoreply messages ? (


Hello Chris,

Judging by the SMTP mail-from domain identifier of the screenshot you provided, receivers checked SPF using the FQDN of the mail server, which typically means checking the HELO identify of the email. This occurs when the SMTP Mail From is null, or no email address given during the MAIL FROM SMTP command.

This is expected for system generated messages, such as delivery status notifications, out of office replies and the like. Exchange on prem is known to send some status messages in TNEF format, and this DKIM plugin does not appear to sign them.

Disabling TNEF may help, but likely not for all messages. You already have an SPF record published for your mail server’s hostname which brings those emails into DMARC compliance, following best practice and would have been my next recommendation.

1 Like

Thank Asher for you response.