There could be several reasons. Typically key timeout errors means the receiver’s DNS servers could not query the signing domain. A few things to consider:
Is this isolated to a specific receiver or is it widespread?
If isolated, the receiver may not be able to query your DNS servers. This could be an issue on their end, or your server blocking them over port 53.
If widespread, there could be issues with your DNS server, intermittently or otherwise. This however would also impact other checks from SPF, MX and such.
I would start with the above to hopefully get an idea who “owns” the issue.
Hm how would I tell if this isolated to a specific receiver or wide spread?
I know that this is happening occasionally from mailchimp emails sent to various internal emails at our domain @college-church. I don’t know if this is happening to emails outside this domain. When an campaign is sent out from mailchimp some emails pass dkim and others fail. I haven’t noticed any other checks failing related to SPF/MX but I am not necessarily looking for it. Is there a SPF timeout error or something like that I can look for.
Side Note: Microsoft does not even send dmarc reports, I caught these because of an exchange rule that checks for dmarc fails associated with our domain.
If I sent my dmarc reports to dmarcian could I get better insights into this?
Your description is already a hint. I have checked with various public DNS along with performing authoritative tests, and all of your domain’s NS along with MailChimp respond. I also checked if the keys validate, and they do. I also don’t see reported issues within the MailChimp DKIM ecosystem. To your point however, we don’t get reports from MS.
Looks like you use EOP as you inbound security gateway. In the email headers, if EOP is ultimately reporting the DKIM-Timeout verdict, then there is a high chance the issue is between either MS and your NS, or MS and MailChimp’s NS since a CNAME is at play here. I tested with my own MailChimp account, and sent a test to my domain, also hosted on 365 and EOP successfully validated the DKIM signature, which likely rules out MailChimp’s DNS being the culprit.
At this point, either the issue is intermittent with MS, or EOP is having issues querying your domain’s DNS. If that is the case however as previously stated, other aspect of DNS based authentication would be impacted.
Sending data to dmarcian in your situation would help determine if other receivers are having issues, such as seeing at a glance problem likely linked to your DNS. Since MS does not send DMARC aggregate data, you would not have visibility into this inbound however. You can look at the Office 365 spoof report to see inbound mail spoofing your own domain, legitimate or otherwise, in case you wish to identify other senders perhaps having a similar issue.
Through the UI This report can be seen in Admin Centers > Security > Reports > Dashboard > Spoof detections where you can generate one by clicking on the Spoof report graph. It takes some time, and you can specify it to be emailed to you.
I hope this helps. I hope you find a resolution to your issue.
FYI we had some other dns records setup for My Emma and dkim.e2ma.net. We had these setup because we used to use MyEmma for email delivery. We have removed those records and the dkim timeout issues have dissipated. If these records were the issue, I don’t think I understand why.