Custom Email Domain missing DKIM records

Well, glad it got fixed for your custom domain.

In contrary to what some here report, my emails from my custom domain are not DKIM signed, ever. I've verified the DNS records. Used online check tools to retrieve the settings on my custom domain, they're all OK. But no matter if I send an email from macOS Mail, iOS Mail or iCloud.com's webmail interface, none of these emails gets a DKIM header.

For what its worth, I just reached out to Apple Support on Twitter to get their attention. No DKIM signage is a deal breaker for me. I've set up DKIM, SPF and DMARC a long time ago and never had issues with my email not getting delivered, or getting backscatter as a result some spammer abusing my domain to spam others.

I ran a test using https://www.learndmarc.com/ and it passed DKIM, SPF and DMARC checks but with this proviso:

"It looks like your domain currently does not have a DMARC policy. We will continue with the validations and show you what the DMARC result would be if you would enable DMARC with p=reject (simulated)."

Can we sort this out or do we need Apple's involvement?

I've also noticed that the number of mails in folders on Mac Mail don't match the folders as seen in iCloud.com Mail. I exported the mail from my old email host to .mbox files, re-imported them as Apple mail and copied them to iCloud. There are 6 folders in total. 4 tally, but for the other 2 there are 2 or 3 more mails in iCloud.com than on the Mac client. BTW, the mail totals on the Mac client are correct, but iCloud is getting a handful of additional mails from somewhere. No amount of sync attempts make a difference. It doesn't inspire confidence.

I simply did:

Type: TXT

Hostname: _dmarc

Value: v=DMARC1; p=reject;

Waited a few and now https://www.learndmarc.com/ passes completely. Additionally I receive a higher score on https://www.mail-tester.com

The other flags are optional but without rua/ruf you won’t get notified of any failures.

the other thing that isn’t clear is whether I need to append the domain to _dmarc. My domain host doesn’t explicitly state that they add it so I presume that you do but it looks like a bit of trial and error will be needed.

OK, I tested a second domain and messages are not being signed as well. Maybe this is something Apple is rolling out and not covering all custom domains yet. In short, I have 1x custom domain working as expected and1x returning DNS record but no DKIM alignment.

Still not working on my .com domain when maIl is sent from the web app. It looks like some of you are noticing a signature in the header but just missing the accompanying records - my header doesn’t even have the signature. Looks like they still have ways to go….

Bummer. That's a Namecheap screenshot too. I posted just in case it was a simple typo or something.

What are you using to test for DKIM? I'll test mine with the same, just to make sure we're comparing apples to apples here.

I'm using the Mail App on my Mac. I'll try my phone again, but I'm pretty sure it worked there too. What does your MXToolbox report look like? I could have sworn it gave some helpful hints why it wasn't working when I was setting mine up. Although, I tested using a bunch of different tools, so maybe it was another one like learndmarc.com

Dkim Signature Error:
No DKIM-Signature header found - more info
Dkim Signature Error:
There must be at least one aligned DKIM-Signature for the message to be considered aligned. - more info

Mail.app latest versions Mac/iOS

Try learndmarc.com and see if it gives you any other explanation.

When I was setting mine up, it did take some time for the settings to propagate through the internet. And I know for sure the rua/ruf settings messed stuff up. One tool explained that the domain the rua/ruf email address is on would have to be "set up" to allow rua/ruf reports. I may be explaining that poorly, but that was the gist.

It sure seems like "the internet" can't see your CNAME record. If you recently added it, give it a few hours. If you didn't, maybe try deleting it and re-adding?

Seems so. Which seems.... odd. My .xyz domain consistently works for me on my Mac (Mac mini M1, Monterey 12.3). I actually want to move a .com to iCloud (it's currently on Google Legacy) so when Google finally lets us all know what they're doing for us Legacy users, I may be able to test a .com and see if it works better/consistently in all situations.

I haven't tried via iCloud.com but via the iOS and OSX mail clients everything is fine. I've used email test sites and I get a full pass and the DMARC reports that I receive say the same. I have a .com domain if it helps.

Been a while, but checking again now with https://www.learndmarc.com/ results in a PASS on DKIM now. (I made no changes in DKIM record myself, so guess Apple finally resolved it now)

SPF auth result is pass and SPF domain is in alignment. DMARC SPF result is pass.

DKIM auth result is pass and DKIM domain is in alignment. DMARC DKIM result is pass.

Because both the SPF and DKIM test passed and their domains are in alignment, the DMARC result is pass.

I think some folks here are sending from their @icloud address and reporting positive DKIM signing and not the actual custom domain. I've tried with two domains now and they're still not signed from either Web or Apps. DNS Records are 100% correct.

I can confirm that I'm using a *.com domain and I'm getting DMARC passes based on both SPF and DKIM passes, as validated using https://www.learndmarc.com. I moved my domain email to iCloud about 3 weeks ago, followed their instructions - nothing 'off piste', and it worked first time. I host my domain with Google domains. I get the daily DMARC reports and they confirm both the DKIM and SPF passes.

Is it worth deleting your domain email hosting from iCloud and starting afresh? I ask because I didn't try to move my domain to iCloud until folk started reporting in this thread that they were finally having success and I've had no problems at all.