Sending via SMTP to Amazon SES -> missing DKIM signature for FROM domain, thus causing domain DKIM misalignment = failed DMARC

Your software
My Mautic version is: 4.3.1
My PHP version is: 7.4.28
My Database type and version is: MariaDB 10.5.15

Your problem
Hi folks, I’m in a bit of a pickle.

So we use a sending setup where we send email through our own SMTP server/app to Amazon SES, which then distrubutes emails to inboxes. This is to allow for maximum possible sending speeds without queuing up on Mautic side. Possibly other reasons - this is how my IT admins want it, not sure of all the reasons, alas this is the setup.

Since the new DMARC gmail rules, our Mautic emails are ending up in spam for Google users. By investigating, we figured out that the problem is that emails sent from Mautic are failing DMARC because of a missing DKIM signature for our send/envelope domain, only the signature for is present in headers, causing domain misalignment, and thus the DMARC fail.

The catch is that if we send an email from the same SMTP server (but directly from server console, not via Mautic) to SES, it’s then delivered with correct headers = including a second DKIM sig for our domain along with sig for = DMARC passes = email is succesfuly inboxed to Gmail.

It’s clear the cause is somewhere in Mautic, or on the way from Mautic to our SMTP server.

What gives? Has anyone experienced anything like this before? Please share your thoughts. Thank you!

DMARC, DKIM and SPF are all DNS related.

DMARC: DNS entry
SPF: DNS entry
DKIM: DNS entry + key signing at the sending server (undisclosed in your post)

I would first start by investigating the headers received by gmail along with those sent to the relay/smarthost.

It could be a case of double DKIM signatures where the first one failed after the second tempered with the email.

If so, the solution would be to disable or strip the DKIM signature from the original email.

We did of course investigate headers, that’s how I know that emails from Mautic using the STMP send method to SES come with incorrect DKIM signature, and emails directly sent from the smtp sending server console to SES have the correct DKIM signature.

Mautic doesn’t sign emails in any ways that I’m aware of.

DKIM is 100% outside of a PHP script let alone a web server.

What it can do that could break your deliveries is sending bad headers.

It’s either that I misunderstood what you are reporting - or - there was a problem in your investigation/understanding of the results.

You said that you tried sending through the CLI. Was it in respect of what Mautic is sending? (probably not if you received different results)

Side note;
Misalignment doesn’t result in a fail

All emails that we are sending are misaligned since we aren’t using the same domains across the board to sign and deliver emails.

Yet everything is green (according to gmail)

With that said;
I would advise to take a step back and stop focusing on alignment. You’re losing sight on the bigger picture.

I don’t fully understand the topic so it may be confusing I admit :smiley:

That Mautic can’t mess with DKIM signatures is what I learned as well in the past 2 days.

My problem isn’t just specifically misalignment, but that we fail DMARC because of that misalignment (or more like because of difference between sender envelope, which uses our company domain, and the sender domain being identified in header as amazonses due to dkim being present only for amazonses).

Strangely, we today found out that this was happening only on one specific email address (noreply@), other addresses pass DMARC succesfuly and have correct DKIMs.

So in other words, just confirmed it has likely nothing to do with Mautic specifically in the end :slight_smile:

Thanks for the direction.

1 Like

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.