Custom Email Domain missing DKIM records

I just sent a test email from Mac Mail app using my custom domain to a Gmail account.

The summary at the top of the "show original" now has this entry:

SPF:PASS with IP 17.58.63.177

DKIM: 'PASS' with domain mydomain.tld 

Where are few weeks ago, only the SPF line was there.

Additionally, there's also the "DKIM-Signature" line further down.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.tld; s=sig1; t={redacted}; bh={redacted}; h=From:Content-Type:Mime-

This wasn't there a few weeks ago either.

When you send from an iCloud address, though, you get this:

SPF:PASS with IP 17.58.63.184 

DKIM:'PASS' with domain icloud.com

DMARC:'PASS'

So things are looking better for sure.

A little more help if you report...

Like I said, they're gonna make you answer a bunch of irrelevant questions.

Start off by stating something simple like:

Hi! I just wanted it documented that I too am one of many experiencing the problem where my Custom Domain isn't sending a DKIM signature when sending via Mail app (either on Mac or iOS). The DKIM signature *is* there, however, when utilizing iCloud Mail on iCloud.com.

There are at least 2 Case IDs reporting the same issue: 101638785504 and 101560160207

Here is the Apple forum with a bunch of others with the same issue:

Custom Email Domain missing DKIM records - Apple Community

They won't simply let you give a Case ID and ask for an update. They just don't work that way. You have to log it as "I'm having this problem too" officially (not just here on this thread).

I then ended up sending them screenshots of the source on an email sent from Mail app and iCloud.com so they could see the difference. I also sent a screenshot of my registrar's DNS records properly set. That really should have been enough, but she continued to ask multiple other questions like VPN, ISP, Wifi or Ethernet, email addresses of the custom domains (even though it happens on the entire custom domain), serial number, software version, etc, etc.

Once we got to questions like ISP, I kind of stopped it because it was taking a really long time. Supposedly she logged it, we'll see....

UPDATE:

This thing seems to be working now. I think they sorted it out. I also followed the insructions in different messages on this thread about turning off the Proxy setting and also removing the double quotes and going with single quotes. (Instead of " " use ").

I had to wait about 5 minutes then voila! It started working.

I haven't tried via iCloud.com but via the iOS and OSX mail clients everything is fine. I've used email test sites and I get a full pass and the DMARC reports that I receive say the same. I have a .com domain if it helps.

I can confirm that I'm using a *.com domain and I'm getting DMARC passes based on both SPF and DKIM passes, as validated using https://www.learndmarc.com. I moved my domain email to iCloud about 3 weeks ago, followed their instructions - nothing 'off piste', and it worked first time. I host my domain with Google domains. I get the daily DMARC reports and they confirm both the DKIM and SPF passes.

Is it worth deleting your domain email hosting from iCloud and starting afresh? I ask because I didn't try to move my domain to iCloud until folk started reporting in this thread that they were finally having success and I've had no problems at all.

Looks like I'm a little late to the party. Just verified that there still remain 2 problems when setting up iCloud+ custom domains:

• DKIM signature header is still missing when sending from the iOS Mail App.
• The DKIM Signing Domain and the From Domain are not aligned when sending from a browser.

Has anyone with tickets seen updates to these? I'm going to create my own ticket tomorrow and will update if I get any new information.

C'mon Apple.... Be better than this.

Also still having same issues.

Testing using https://www.learndmarc.com/

When sending from iPhone or Outlook :

>> Running DKIM

------------------

I see you haven't included a DKIM signature. Therefore, I am unable to authenticate the email and determine if the message was altered during transit. The Auth Result is none

When sending mail from icloud.com :

DKIM-Signature: d=icloud.com s=1a1hai

>> Running DKIM

------------------

I see you've included a DKIM signature. I've retrieved the public key from 1a1hai._domainkey.icloud.com

The signature passed validation. The Auth Result is pass.

But in this case the warning:

DKIM domain does not align with RFC5322.From domain (icloud.com != mydomain.com ). Alignment mode: relaxed.

--

So, still not solved.

(i.e. when using Google Workspace on another domain, I get all PASS. But Google allows you to create your own DKIM keypair for your domain, so you actually have a public key in your DKIM TXT record instead of CNAME pointing to icloud )

This is incorrect @Nick_WGD. Case IDs are personal. You can't even look it up unless you know Case ID AND Last Name. I've worked with Apple support many times. It is always best to raise duplicate issues via support. I have been flat out told that by support agents. The more who report, the higher priority it gets. In other words, the squeaky wheel gets the oil.

I've just reported this issue too. Use the Get Support Link above. Be prepared to answer a lot of ridiculous questions. (i.e "does this happen on wifi or ethernet?") They really aren't great when it comes to "hey I have this issue too".

I simply did:

Type: TXT

Hostname: _dmarc

Value: v=DMARC1; p=reject;

Waited a few and now https://www.learndmarc.com/ passes completely. Additionally I receive a higher score on https://www.mail-tester.com

Been a while, but checking again now with https://www.learndmarc.com/ results in a PASS on DKIM now. (I made no changes in DKIM record myself, so guess Apple finally resolved it now)

SPF auth result is pass and SPF domain is in alignment. DMARC SPF result is pass.

DKIM auth result is pass and DKIM domain is in alignment. DMARC DKIM result is pass.

Because both the SPF and DKIM test passed and their domains are in alignment, the DMARC result is pass.

Read from the top of the thread, it’s been reported. The case ID is quoted in an earlier reply, so it’d be better to chase Apple for an update than to raise a duplicate issue.

I don't see the dkim record for my custom domain yet (as per documentation). Can anyone else confirm the observation that @namworld made there?

namworld wrote:

UPDATE:

This thing seems to be working now. I think they sorted it out.

Hi Sebby - I found this:

Postmaster information for iCloud Mail – Apple Support (UK)

Of specific interest here: "All iCloud Mail domains also have a DMARC ("p=quarantine") policy*, which indicates to a mail provider that an email from an iCloud email address that fails SPF and DKIM email authentication should go to the recipient's Junk folder. *The policy took effect on 2 July 2018."

This was published in July 2020 which would suggest that it hasn't been implemented for custom domains yet, but would be in future, perhaps.

If the users are supposed to setup the DMARC policy then why do Apple make no mention of it in the custom domain setup instructions?

In terms of setting it up I found this page:

https://dmarcadvisor.com/dmarc-record-wizard/?gclid=Cj0KCQiAmpyRBhC-ARIsABs2EAobZk7kVbb5PMBcNlStTuyPOVm72N5y6BoKegWjVO7P-He-0oRruGgaAnEKEALw_wcB

And inputting some sensible settings I'm looking at:

DNS:

Hostname: _dmarc

Resource Type: TXT

Value: v=DMARC1; p=quarantine; rua=mailto:me@example.com; ruf=mailto:me@example.com; fo=1;

Does that look about right?

If Apple subsequently implement their DMARC policy for custom domains will that take precedence over my DNS settings, do you think?

Try learndmarc.com and see if it gives you any other explanation.

When I was setting mine up, it did take some time for the settings to propagate through the internet. And I know for sure the rua/ruf settings messed stuff up. One tool explained that the domain the rua/ruf email address is on would have to be "set up" to allow rua/ruf reports. I may be explaining that poorly, but that was the gist.

It sure seems like "the internet" can't see your CNAME record. If you recently added it, give it a few hours. If you didn't, maybe try deleting it and re-adding?

Since I have this exact problem I am running some tests, and yes for me it depends of which server handle the mail.

It does not depend of the device used to send the mail, as I use iPhone 13, iPad 8, MacBook Air M1, iPad 4 and iCloud.com, all of them with various results.

In my case, when the mail is handled by a 17.57.x.x or a 17.58.23.x server, my mails are never DKIM signed but are always signed when handled by a 17.58.63.x server.

And I tested with 3 differents custom domains that I have on my iCloud account.