dkim soft fail
Last week I made a research on email deliverability:
How dmarc works with Google Mail and Office 365 in 2020
These results made me think that both Google Mail and Office 365
do not consider important if the DKIM signing domain is different from the sender,
as long as the message is authenticated with SPF, it will reach the inbox:
|Google Mail||Office 365|
|spf Pass - dkim diff - dmarc reject||inbox||inbox|
|spf Fail - dkim diff - dmarc reject||dsn=5.0.0, stat=Service unavailable||junk|
|spf SoftFail - dkim diff - dmarc reject||dsn=5.0.0, stat=Service unavailable||junk|
|spf Neutral - dkim diff - dmarc reject||inbox||inbox|
|spf none - dkim diff - dmarc reject||dsn=5.0.0, stat=Service unavailable||junk|
I don’t know why I was convinced that both spf and dkim should refer to the same domain.
Searching on the internet I’ve found this on “Domain alignment”:
DMARC requires that at least one of the domains is authenticated by SPF or DKIM to "align with" the domain found in the "from" header address
In fact, SpamStop almost always gave the warning “dkim-diff”
to the messages coming from Google Mail and Office 365.
Now it has been fixed, I’ve called this behaviour “dkim soft fail”.
SpamStop dkim check - when the message has been signed using a different domain,
the “dkim-diff” alert will NOT be displayed if the sender (“from”) passes the SPF check.
The tester has also been updated: dkim check online
When this particular case happens, the result will show:
|~OK| spf-pass |~OK| dkim-diff |~OK|
Having both SPF and DKIM aligned with the from domain makes even more sense,
since the SPF check could be broken by email forwarding,
while DKIM signature remains unchanged, tied to the message.