Custom Email Domain missing DKIM records

Hi there. I have a support ticket open for the missing DKIM records with Apple since end of October. Not so much progress on the ticket and it was not easy to get the DKIM subject explained to support. Anyway I have had several contacts now and shared a lot of information and evidence with support and currently it sits with engineering.

A little more help if you report...

Like I said, they're gonna make you answer a bunch of irrelevant questions.

Start off by stating something simple like:

Hi! I just wanted it documented that I too am one of many experiencing the problem where my Custom Domain isn't sending a DKIM signature when sending via Mail app (either on Mac or iOS). The DKIM signature *is* there, however, when utilizing iCloud Mail on iCloud.com.

There are at least 2 Case IDs reporting the same issue: 101638785504 and 101560160207

Here is the Apple forum with a bunch of others with the same issue:

Custom Email Domain missing DKIM records - Apple Community

They won't simply let you give a Case ID and ask for an update. They just don't work that way. You have to log it as "I'm having this problem too" officially (not just here on this thread).

I then ended up sending them screenshots of the source on an email sent from Mail app and iCloud.com so they could see the difference. I also sent a screenshot of my registrar's DNS records properly set. That really should have been enough, but she continued to ask multiple other questions like VPN, ISP, Wifi or Ethernet, email addresses of the custom domains (even though it happens on the entire custom domain), serial number, software version, etc, etc.

Once we got to questions like ISP, I kind of stopped it because it was taking a really long time. Supposedly she logged it, we'll see....

Hi Sebby - I found this:

Postmaster information for iCloud Mail – Apple Support (UK)

Of specific interest here: "All iCloud Mail domains also have a DMARC ("p=quarantine") policy*, which indicates to a mail provider that an email from an iCloud email address that fails SPF and DKIM email authentication should go to the recipient's Junk folder. *The policy took effect on 2 July 2018."

This was published in July 2020 which would suggest that it hasn't been implemented for custom domains yet, but would be in future, perhaps.

If the users are supposed to setup the DMARC policy then why do Apple make no mention of it in the custom domain setup instructions?

In terms of setting it up I found this page:

https://dmarcadvisor.com/dmarc-record-wizard/?gclid=Cj0KCQiAmpyRBhC-ARIsABs2EAobZk7kVbb5PMBcNlStTuyPOVm72N5y6BoKegWjVO7P-He-0oRruGgaAnEKEALw_wcB

And inputting some sensible settings I'm looking at:

DNS:

Hostname: _dmarc

Resource Type: TXT

Value: v=DMARC1; p=quarantine; rua=mailto:me@example.com; ruf=mailto:me@example.com; fo=1;

Does that look about right?

If Apple subsequently implement their DMARC policy for custom domains will that take precedence over my DNS settings, do you think?

Ok this is interesting... I just tested from https://www.icloud.com/mail/

It did not work properly...

Also tried using learndmarc:

So what this tells me, since it all works fine from iPhone mail and Mac mail apps, my DNS records are set up properly.

iCloud.com/mail is not adding the DKIM signature headers. Which seems odd since I'm pretty sure they were being added on Mar 8 as I tested all 3 situations then (Mac Mail, iPhone mail, iCloud.com/Mail).

I don't see the dkim record for my custom domain yet (as per documentation). Can anyone else confirm the observation that @namworld made there?

namworld wrote:

UPDATE:

This thing seems to be working now. I think they sorted it out.

Looks like I'm a little late to the party. Just verified that there still remain 2 problems when setting up iCloud+ custom domains:

• DKIM signature header is still missing when sending from the iOS Mail App.
• The DKIM Signing Domain and the From Domain are not aligned when sending from a browser.

Has anyone with tickets seen updates to these? I'm going to create my own ticket tomorrow and will update if I get any new information.

C'mon Apple.... Be better than this.

Interestingly I tested my .com, which is hosted at Name.com with MX records pointing to Google (I'm a Google Suites Legacy user), and sending from my main admin account pretty much failed. Both sending from mail.google.com and the Gmail app on my iPhone:

However using my iCloud.com account worked fine both in Mail app and at iCloud.com/mail:

So I'm not so sure GSuite is really any better.

I just retested mine. I sent from my .xyz domain and it fully passes spf/dkim/dmarc from the Mail app on my Mac and from my iPhone.

However, when I use https://www.icloud.com/mail/ the DKIM signature is not included, but the DMARC still passes because the SPF passed.

I do not have Private Relay enabled, but I do have Hide My Email enabled (though not using it for this test - I chose my XXXX@mydomain.xyz as the "send from" on each test).

I'm having the same problem. I also have tickets in, and engineering seems unable to answer the problem. It feels like Apple rolled this service out without preparing their support infrastructure to handle the associated challenges.

I have the same problem. Every time I called the support about this I got the answer that this is my problem and not Apple's and that they can do nothing about it. The support agents had clearly no understanding of the problem at all. I have a ticket open and never got an answer back.

I'm using AWS Route53.

Any update on this? I have a new custom domain for a business and I need an email host. Was planning to use new iCloud service but all this talk around the web of DKIM record problems is concerning.

Have your issues been addressed?

Any headway?

Should I try it?

No update. I’m contacting support every 2 weeks. The ticket is still open. I have my hopes set on the new releases of iOS and Monterey. Hopefully with those releases they also have an iCloud update. Let’s see next week.

Ok thanks for the update. If/when they finally fix it I’d be thrilled if you updated us all here.

I think I am going to trust apple to get it corrected and go with icloud for the hosting (for now). Once the DKIM records issue is corrected would you feel good about using icloud to host a very small business email? I understand the limitations with users/family sharing but I am most concerned about messages being delivered properly and spam filtering…

Anyone else care to chime in?

Despite the DKIM issue I have found the email sending and delivery very reliable. Especially be able to use your custom domain in the iCloud webmail I find a big plus. For a small business I would go for it.

Ok, so I had a frustrating on-line chat session. The support operative said that she couldn't contact the Apple engineers and that I have to speak to them on the phone. I asked if she could just get them to update this thread and she doesn't possess the ability to communicate with them.