Got Threat/Unknown entries, now what?

(sorry, I had to edit the message because as a new user I can only add 2 links… I massaged the entries by replacing the dot in domain names with “-dot-”. very difficult to read, but I hope you forgive me…)

I am new to dmarcian, have set up a domain (call it and I am receiving data visible in the dashboard.
Last friday, there was a mass email sent from the WIX marketing portal. Apparently they use wixshootout and/or sendgrid-dot-net to deliver those messages.
At least I’ll find the following DKIM Signature in one of the sent mails:
v=1; a=rsa-sha256; c=relaxed/relaxed; d=pr01-dot-wixshoutout-dot-com; h=content-type:from:list-unsubscribe:mime-version:subject:reply-to:to; s=s1; bh=rsodpQXgI6I+NXvodHQFlKlJI+d/g+KaHi2XcQ9HNfM=; b=VPwSd1NgmC0mw+un6dE9Ur0c0GQwetGQDPK9du/7bErABSG3rxLjMYao6wdE7H7L/plm L7bhEPSSRVSCaCuRtmEJD6AAeQB0yd+yB7avjSl+LFkCL2LC50WJ4MitHWj9gKgS44pgbf 2xyQUXNIJzF7eprq2ywVCiNAU1/6NHIF0=

The Authentication-Results look like this:
spf=pass (sender IP is smtp-dot-mailfrom=sg-dot-pr01-dot-wixshoutout-dot-com; dkim=pass (signature was verified) header.d=pr01-dot-wixshoutout-dot-com; dmarc=fail action=none header.from=domain-dot-com;compauth=none reason=404

So I have plenty of entries in dmarcians dashboard in the Threat/Unknown category which contain this:

  • domain-dot-com, obviously
  • PTR: o27-dot-sg-dot-wixshoutout-dot-com
  • DKIM/DMARC fail-unaligned
  • DKIM pass, d=pr01-dot-wixshoutout-dot-com
  • SPF/DMARC fail
  • SPF pass
  • SPF domain sg-dot-pr01-dot-wixshoutout-dot-com
  • DKIM selector s1 (pr01-dot-wixshoutout-dot-com)

Where do I go now to make mass emails sent via WIX compliant?
I have now added wixshootout-dot-com to the domains SPF, but I have some understanding problems about DKIM.
I think I would need to add another DKIM DNS entry for wixshootout-dot-com (???) and/or need to tell WIX to DKIM sign outgoing emails with the signature? I am at a loss, please educate me.

The domain is set up on Office 365 and Emails through Office 365 are all in the DMARC capable and 100% green

Hi DanHu, and welcome to the forum :slight_smile:

So, apparantly your client/colleagues are using an Email Service Provider (ESP) for e.g. newsletters, in your case wix’s shoutout. Wix is currently authenticating mails by signing (DKIM) and setting return-path (SPF) using their own domain (pr01-dot-wixshoutout-dot-com).

  • First, you must find out who is responsible for and in control of that ESP use.

  • Then, you must convince (and possibly help) them change the ESP subscription setup to use a custom/authenticated domain , so the ESP can sign emails on behalf of domain-dot-com. Doing this, you should have domain. com publish a DKIM selector with a public key corresponding to the private key the ESP is using. Often, the ESP’s UI provides this key.

  • SPF always authenticates using the SPF TXT record at the domain specified by the return-path. The ESP needs to monitor bounces or recipient engagement, and can only do so if they control the server(s) handling these functions, so the ESP’s servers does NOT need to be included in the SPF record for their customer’s main domain.

  • Some ESPs (e.g. Sendgrid) can send mail using a return-path related to the customer’s domain, and/or link-brand web links in the mail if the customer publishes CNAME record(s) pointing to the ESP. DMARC-SPF alignment for ESP mail can only be achieved this way.

Hope this helps,

Hello Niels,
Many thanks for your explanations.
I understand now that there is no way around on having the ESP sign DKIM on the behalf of domain-dot-com. WIX does in fact have a way to enable DKIM signage in that way, but apparently it’s only possible if the client also hosts DNS on their infrastructure.
I will try to get the right contacts through WIX support. That might become a challenge. My experience with that support is that they are very WIX centric and more on the level of customers that struggle with the WIX tools.
Perhaps there is a way to use an external, configurable ESP instead. I will have to check.
But you gave me very competent and useful information.
Thanks again.

Hi Daniel,
I have no experience with Wix Shoutout, but most ESP do not need to host customer DNS.

Maybe CNAME records pointing to relevant servers and keys can do the trick, e.g.:
newsletter. domain. com IN CNAME <ESP server (name) handling return-path and link redirection>
ESP-sign1._domainkey. domain. com IN CNAME <ESP TXT record publishing public DKIM key 1>
ESP-sign2._domainkey. domain. com IN CNAME <ESP TXT record publishing public DKIM key 2>

This way the customer stays in control of their domain, while the ESP can shift loads around and rotate keys as they see fit.

(The customer is still responsible for taking down related CNAME and TXT records when the ESP contract is canceled or expires.)


1 Like

Hi Niels,
I was thinking about that too, althoiugh only as a possibility.
I will definitively try it.