Emails not passing DMARC verification

Managed DNS Hosting
1

Hi folks, I seem to have a problem with how my email domain is set up as I am getting undeliverable emails with the message “Access denied, sending domain peasinapodfilms.com does not pass DMARC verification and has a DMARC policy of reject”

If I do a check on MXtoolbox with peasinapodfilms:email I get a ‘No DKIM record found’ message

Screenshot 2025-03-02 at 22.49.41
Screenshot 2025-03-02 at 22.49.412030×744 67.8 KB

I have a custom email domain via Apple iCloud set up as per the following settings Set up an existing domain with iCloud Mail – Apple Support (UK)

They require the following entry for DKIM

and the following entry for SPF

  • SPF:
    • Record Type: TXT
    • Host: @
    • Value: “v=spf1 include:icloud.com ~all”
    • If you already have an SPF record, simply add “include:icloud.com” to the value before “~all”.

This is how I have things set up in deSEC

Screenshot 2025-03-02 at 22.58.41
Screenshot 2025-03-02 at 22.58.413444×1712 369 KB

The full DMARC entry is:
“v=DMARC1; p=reject; rua=mailto:dmarc-reports@peasinapodfilms.com; ruf=mailto:dmarc-reports@peasinapodfilms.com; pct=100”

Can anyone suggest where I might be going wrong and why my emails are being rejected? I’m concerned I might get my IP and email blacklisted if I don’t get this resolved fairly quickly

2

There is no DKIM key at email._domainkey…, so MXtoolbox complains about that. You asked the wrong question: The selector is “sig1”, as in the subname “sig1._domainkey”, not “email”.

1 Like
3

Thank you! Ok, so the DKIM appears to be fine after all!

In that case I am stumped! I think I’ve set everything up correctly but why am I getting my emails rejected for failed DMARC verification?

4

Hmm, the DKIM record is a “TXT” record, and lives at (subname) “mail._domainkey”.
DMARC lives in a “TXT” record at subname “_dmarc”

The spf1 record is in the correct spot.

5

Ok, so I added the DKIM as instructed by Apple. Are you suggesting I have have placed the DMARC incorrectly?

6

The DMARC record must indeed be at _dmarc.peasinapodfilms.com. But your wildcard-CNAME directs _dmarc to where the record really it, so that does not seem to be your problem.
Moreover, if it wasn’t in the right place (or not there at all), your mail would not get rejected but rather accepted without validation.

IIRC your DMARC policy mandates that your email must validate with SPF or DKIM, i.e. either one is acceptable. If your emails get rejected, that would imply that both SPF and DKIM fail, which is surprising.

Are you really sending via Apple’s mail service? Or do you use some other service for sending?
Look at an email you sent and check if it has the DKIM-Signature header and if that really references that sig1 selector.
Maybe try this service for validation and debugging:

If you are in a hurry to get your email accepted, you could change the DMARC policy from reject to none. Your emails will still not validate, but they won’t be rejected for it either. That’s what people usually do during setup and testing :slight_smile:

7

Yes, I’m using a custom email domain via Apple’s iCloud service and all my emails are being sent either via the Apple mail client on my MacBook or my iPhone so I don’t see there being any variables that could cause a conflict.

Thank you for suggesting the DKIM validator to help troubleshoot this and also for the short term solution of changing the DMARC policy to get my mail delivered.

I will post back here with any updates, or once the issue is resolved