iContact SPF/DKIM alignment

jhob · July 29, 2020, 8:03am

We have a domain that sends via iContact. Got the suggested SPF and DKIM records set but dmarcian reports 0% alignment (screenshot).

I’ve checked DKIM validation with the Wordtothewise validation tool and it passed for both keys (icontact.k1 and icontact.k2).

Here’s a sample of the failures from the detail viewer - screenshot

We’d like to publish a stronger DMARC policy but I need to resolve this issue first and am stuck with where to turn next.

Any ideas?

jhob · July 29, 2020, 8:04am

Here’s the wordtothewise validation tool I used: https://tools.wordtothewise.com/authentication

Would only let me post 2 links in original post.

beekeeper · July 30, 2020, 6:17pm

Hi John,

Have you looked at https://kb.icontact.com/hc/en-us/articles/360025667951-DKIM-SPF-and-DMARC-Information ?

Specifically did you carry out step 5?

Contact iContact support; you must contact Support, or your Account Advisor, and request that we turn on custom DKIM for your account. Login to your account, and reach us by phone, chat, or email.

jhob · July 31, 2020, 7:37am

Thanks - I had read that article, but totally missed reading that line! Will get on it.

Asher · July 31, 2020, 5:46pm

Hi John,

To add to beekeeper’s response, the compliance percentage displayed in our dmarcian portal is based on successful DMARC compliance, meaning the individual DKIM and SPF checks are passing, but the identifiers are also in alignment.

The identifiers (the domains) alignment is where the domains used for SPF checks (return-path domain) and the DKIM signing domain (d= tag, also the domain hosting the public key) are aligned with the domain found in the From: header. Aligned means they are the same, or of the same org domain, depending on if you are using relaxed or strict alignment.

Since by default iContact uses their own domain for both the return-path address and DKIM signing, this means although their domain is correctly configured to pass a SPF and DKIM check (SPF and DKIM raw column in the detail viewer), the domain is not aligned with yours used in the From: header. The configuration steps provided by beekeeper will change the DKIM value to your domain once the changes are done in DNS and you reach out to their support.

I hope this provides a bit more context and helps understand our reporting more.

Topic		Replies	Views
Hubspot not passing SPF or DKIM aligment? Technical Help	7	2001	December 11, 2020
Dmarcian report - Dmarc compliance 100 % but "fail-unaligned" Technical Help	3	1304	June 29, 2023
How can SPF/DKIM pass, and yet DMARC fail? Technical Help	0	925	May 30, 2019
FAQ: DKIM/SPF Resources FAQ	0	1834	May 24, 2019
Help to understand threat categorization Technical Help	1	710	July 27, 2020

iContact SPF/DKIM alignment

Related Topics