DMARC Analyzer receives a lot of DMARC reports for its clients everyday. We sometimes receive DMARC reports from Yahoo which provides inconsistent data about DKIM signatures, we will explain what happens and how we fixed it.
What is DKIM?
DKIM is an email authentication technique. With DKIM a digital signature can be added to an email, by adding a DKIM signature the receiver of the email can verify that the email was sent by the expected server and was not modified. In order to properly setup and align DKIM, the d= value should be matching with the ‘From’ domain. For additional information on how to validate DKIM records please refer to our article about how to validate a DKIM record.
What is going wrong?
We sometimes see that Yahoo reports back data to us via the DMARC reports, which state that ‘DKIM breaking servers’ sent out DKIM aligned emails. Since ‘DKIM breaking servers’ can not send DKIM aligned emails, this causes confusion.
What inconsistent data does Yahoo provide?
What happens is that an email was signed with two DKIM signatures, however Yahoo only reported one back to us. If in this case Yahoo reports that an email was DKIM aligned, but reports only one DKIM signature back to us which was not aligned with the from domain. In the DMARC Analyzer tool you will than see a DKIM aligned email with a ‘not aligned’ DKIM signature within the ‘DKIM breaking servers’ section.
How does DMARC Analyzer resolves the issue?
We fixed the issue by automatically changing the incorrect data. When the DMARC Analyzer Suite receives incorrect reports from Yahoo, it will place the reported volume under the correct source and generate a ‘custom’ DKIM signature in order to show the email as aligned underneath the correct source. The DMARC Analyzer Suite will add a second DKIM signature which is aligned and show a ? as DKIM selector. In the screenshot below this is visualized, here we provide feedback on how a DKIM signature is generated to fix inconsistent data sent by Yahoo and that the DMARC Analyzer Suite added a ‘custom’ DKIM signature.