iContact SPF/DKIM alignment

We have a domain that sends via iContact. Got the suggested SPF and DKIM records set but dmarcian reports 0% alignment (screenshot).

I’ve checked DKIM validation with the Wordtothewise validation tool and it passed for both keys (icontact.k1 and icontact.k2).

Here’s a sample of the failures from the detail viewer - screenshot

We’d like to publish a stronger DMARC policy but I need to resolve this issue first and am stuck with where to turn next.

Any ideas?

Here’s the wordtothewise validation tool I used: https://tools.wordtothewise.com/authentication

Would only let me post 2 links in original post.

Hi John,

Have you looked at https://kb.icontact.com/hc/en-us/articles/360025667951-DKIM-SPF-and-DMARC-Information ?

Specifically did you carry out step 5?

Contact iContact support; you must contact Support, or your Account Advisor, and request that we turn on custom DKIM for your account. Login to your account, and reach us by phone, chat, or email.

Thanks - I had read that article, but totally missed reading that line! Will get on it.

Hi John,

To add to beekeeper’s response, the compliance percentage displayed in our dmarcian portal is based on successful DMARC compliance, meaning the individual DKIM and SPF checks are passing, but the identifiers are also in alignment.

The identifiers (the domains) alignment is where the domains used for SPF checks (return-path domain) and the DKIM signing domain (d= tag, also the domain hosting the public key) are aligned with the domain found in the From: header. Aligned means they are the same, or of the same org domain, depending on if you are using relaxed or strict alignment.

Since by default iContact uses their own domain for both the return-path address and DKIM signing, this means although their domain is correctly configured to pass a SPF and DKIM check (SPF and DKIM raw column in the detail viewer), the domain is not aligned with yours used in the From: header. The configuration steps provided by beekeeper will change the DKIM value to your domain once the changes are done in DNS and you reach out to their support.

I hope this provides a bit more context and helps understand our reporting more.