iCloud Mail not DKIM-signing my custom domain (SPF/DMARC pass, DKIM always fails)

Question

Level 1

4 points

iCloud Mail not DKIM-signing my custom domain (SPF/DMARC pass, DKIM always fails)

Hi everyone,

I’m trying to diagnose an issue with iCloud Mail + a custom domain, and I’m hoping someone in the community has run into this before.

I am using a custom domain with iCloud Mail (the feature Apple provides in iCloud settings). All DNS records are correctly configured:

• sig1._domainkey → CNAME to iCloud

• sig2._domainkey → CNAME to iCloud

• SPF includes icloud.com

• DMARC is set properly

SPF passes, DMARC passes, but DKIM always shows FAIL when sending emails from my custom domain through iCloud Mail.

The Mail app shows no errors.

Emails send normally, but Gmail and every authentication tool report:

DKIM: FAIL (no valid signature found)

This means iCloud’s outgoing mail servers are not adding a DKIM signature for my domain, even though the DNS is set correctly.

I have contacted Apple Support several times (chat + two phone escalations), but I’m receiving conflicting information. Some advisors say Apple supports custom domains (as documented), while others say they do not support them at all. So far, the root cause has not been identified.

Before I continue chasing it through support again, I’d like to know:

Has anyone here had an issue where iCloud Mail stops DKIM-signing a custom domain?

And if so, how was it resolved?

Is there any known limitation or delay in DKIM propagation on iCloud’s side?

One extra detail:

I’m using YubiKeys for 2FA on my Apple ID, in case that might influence anything (though I assume it shouldn’t affect DKIM signing on Apple’s mail servers).

Any technical insight or experience would be greatly appreciated.

Thanks in advance.

Mac Studio, macOS 26.1

Posted on Dec 1, 2025 12:16 AM

Reply

Answer 1

cruarczur108 Author

Level 1

4 points

Dec 1, 2025 12:18 AM in response to cruarczur108

Delivered-To: user@gmail.com

Received: by 2002:a05:7110:xxxx with SMTP id xxxx;

Sun, 30 Nov 2025 20:59:42 -0800 (PST)

X-Google-Smtp-Source: REDACTED

X-Received: by 2002:a05:7300:xxxx with SMTP id xxxx;

Sun, 30 Nov 2025 20:59:42 -0800 (PST)

ARC-Seal: i=1; a=rsa-sha256; t=1764565182; cv=none;

d=google.com; s=arc-20240605;

b=REDACTED

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;

d=google.com; s=arc-20240605;

h=to:date:message-id:subject:mime-version:from

:mail-alias-created-date:dkim-signature;

bh=REDACTED;

fh=REDACTED;

b=REDACTED

ARC-Authentication-Results: i=1; mx.google.com;

dkim=permerror (no key for signature)

header.i=@example.com

header.s=sig1

header.b="REDACTED";

spf=pass (google.com: domain of user@example.com

designates 57.xxx.xx.xx as permitted sender)

dmarc=pass (p=NONE sp=NONE) header.from=example.com

Return-Path: <user@example.com>

Received: from outbound.ms.icloud.com (...)

by mx.google.com with ESMTPS id REDACTED

for <user@gmail.com>

Sun, 30 Nov 2025 20:59:41 -0800 (PST)

Received-SPF: pass (google.com: domain of user@example.com

designates 57.xxx.xx.xx as permitted sender)

Authentication-Results: mx.google.com;

dkim=permerror (no key for signature)

header.i=@example.com

header.s=sig1

spf=pass

dmarc=pass

Received: from outbound.ms.icloud.com (unknown [127.0.0.2])

by p00-icloudmta-asmtp... with ESMTPS id REDACTED

Mon, 1 Dec 2025 04:59:40 +0000 (UTC)

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=example.com;

s=sig1;

bh=REDACTED;

h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To:x-icloud-hme;

b=REDACTED

Received: from smtpclient.apple (unknown [17.xx.xx.xx])

by p00-icloudmta-asmtp... with ESMTPSA id REDACTED

From: user@example.com

To: user2@example.com

Subject: Example Subject

Date: Mon, 1 Dec 2025 06:59:27 +0200

X-Mailer: Apple Mail

-- message body redacted --

Reply