Custom Email Domain missing DKIM records

Hahaha! That’s good entertainment - thanks for spending the time. I run a software development business, have done for 25 years. Defects are triaged and and assigned a priority that determines how quickly they’re fixed - there are many factors that determine priority. Duplicate issues are the bane of develop teams because they occupy more development resource than consolidated issues.

Give them the link to this thread. It contains not only the link to the case that’s been raised, but most of the interested parties and details of all follow up comment.

As for IT advice, I’m good for now, thanks.

I've been keeping an eye on my CNAME record for DKIM and today there is a DKIM key at sig1.dkim.[domain].uk.at.icloudmailadmin.com! However, when sending from icloud.com, the message is not signed at all (previously it was signed by icloud.com). But this is definitely progress and it would seem that Apple are going to have this sorted pretty soon.

Hi guys - I'm holding off transferring my domain to iCloud until the DKIM issue has been resolved in entirety. Looking at the posts today it seems like there has been progress in terms of the DKIM record being created but messages aren't being signed correctly yet - is that a fair representation of where we're at?

As I say I don't have first hand experience of switching to iCloud yet and as such nothing to check on my side.

Hi guys - an observation to share.

I've been considering moving my Apple ID email domain to Apple to have things more consolidated, but there's a shortcoming. There used to be the option to specify a 'Notification Email Address' that's used notify you when there's a login from an unknown browser / device. Apple have done away with this and those notification emails can only be sent to your Apple ID email address. This means that if you moved your Apple ID email account to iCloud and your Apple ID got hacked then the notification of the suspicious login would be sent to your iCloud account and the hacker could potentially delete the email before you had a chance to see it.

FYI.

Well, glad it got fixed for your custom domain.

In contrary to what some here report, my emails from my custom domain are not DKIM signed, ever. I've verified the DNS records. Used online check tools to retrieve the settings on my custom domain, they're all OK. But no matter if I send an email from macOS Mail, iOS Mail or iCloud.com's webmail interface, none of these emails gets a DKIM header.

For what its worth, I just reached out to Apple Support on Twitter to get their attention. No DKIM signage is a deal breaker for me. I've set up DKIM, SPF and DMARC a long time ago and never had issues with my email not getting delivered, or getting backscatter as a result some spammer abusing my domain to spam others.

I ran a test using https://www.learndmarc.com/ and it passed DKIM, SPF and DMARC checks but with this proviso:

"It looks like your domain currently does not have a DMARC policy. We will continue with the validations and show you what the DMARC result would be if you would enable DMARC with p=reject (simulated)."

Can we sort this out or do we need Apple's involvement?

I've also noticed that the number of mails in folders on Mac Mail don't match the folders as seen in iCloud.com Mail. I exported the mail from my old email host to .mbox files, re-imported them as Apple mail and copied them to iCloud. There are 6 folders in total. 4 tally, but for the other 2 there are 2 or 3 more mails in iCloud.com than on the Mac client. BTW, the mail totals on the Mac client are correct, but iCloud is getting a handful of additional mails from somewhere. No amount of sync attempts make a difference. It doesn't inspire confidence.

The other flags are optional but without rua/ruf you won’t get notified of any failures.

the other thing that isn’t clear is whether I need to append the domain to _dmarc. My domain host doesn’t explicitly state that they add it so I presume that you do but it looks like a bit of trial and error will be needed.

Still not working on my .com domain when maIl is sent from the web app. It looks like some of you are noticing a signature in the header but just missing the accompanying records - my header doesn’t even have the signature. Looks like they still have ways to go….

Bummer. That's a Namecheap screenshot too. I posted just in case it was a simple typo or something.

What are you using to test for DKIM? I'll test mine with the same, just to make sure we're comparing apples to apples here.

I'm using the Mail App on my Mac. I'll try my phone again, but I'm pretty sure it worked there too. What does your MXToolbox report look like? I could have sworn it gave some helpful hints why it wasn't working when I was setting mine up. Although, I tested using a bunch of different tools, so maybe it was another one like learndmarc.com

Dkim Signature Error:
No DKIM-Signature header found - more info
Dkim Signature Error:
There must be at least one aligned DKIM-Signature for the message to be considered aligned. - more info

Mail.app latest versions Mac/iOS

Seems so. Which seems.... odd. My .xyz domain consistently works for me on my Mac (Mac mini M1, Monterey 12.3). I actually want to move a .com to iCloud (it's currently on Google Legacy) so when Google finally lets us all know what they're doing for us Legacy users, I may be able to test a .com and see if it works better/consistently in all situations.

Interestingly I tested my .com, which is hosted at Name.com with MX records pointing to Google (I'm a Google Suites Legacy user), and sending from my main admin account pretty much failed. Both sending from mail.google.com and the Gmail app on my iPhone:

However using my iCloud.com account worked fine both in Mail app and at iCloud.com/mail:

So I'm not so sure GSuite is really any better.

No, I haven't enabled Private Relay or Hide My Email and I'm not using iCloud drive (it is enabled but no folders / files are selected) for the reason that your suggesting, i.e. one thing at a time to help keep any issue resolution as simple as possible.

I just retested mine. I sent from my .xyz domain and it fully passes spf/dkim/dmarc from the Mail app on my Mac and from my iPhone.

However, when I use https://www.icloud.com/mail/ the DKIM signature is not included, but the DMARC still passes because the SPF passed.

I do not have Private Relay enabled, but I do have Hide My Email enabled (though not using it for this test - I chose my XXXX@mydomain.xyz as the "send from" on each test).