7
Oct 15

Meaning of "No DMARC reports received yet which confirm DKIM signing"

Users sometimes ask What does "No DMARC reports received yet which confirm DKIM signing" mean?

dmarcian uses DMARC-XML data to detect the presence of DKIM signatures.  There is no straight-forward way to query the internet for the presence of DKIM signatures, and so dmarcian relies on the contents of DMARC-XML reports to provide information on DKIM signatures.

Given the above, there are 4 reasons why you might see this message:

  1. DKIM hasn't been implemented with the domain's source(s) of email.
  2. DKIM hasn't been fully implemented.  For example, Google Apps for Work requires a verification step before DKIM signing is fully enabled for a domain.
  3. dmarcian has not yet received a DMARC report containing DKIM information.  Either no reports have been received for the domain, or reports may have been received only with regard to non-DKIM-verified email (ie, spam, abuse, or legitimate email that hasn't yet been DKIM signed).
  4. DMARC-XML data doesn't contain relevant DKIM signatures for the particular domain.

Regarding #1, you'll need to setup DKIM by allowing the source of email to on behalf of your domain.  How this is implemented differs based on the capabilities of the email source.  For example, Google Apps for Work requires you to copy a DKIM TXT record into your domain's hosting/DNS provider.  In some cases (eg. GoDaddy) you will also need to click an additional "Save changes" button in order to confirm the new TXT record.

Regarding #2, after updating the hosting/DNS provider, make sure the source of email has accepted the changes (eg with Google Apps for Work, you'll need to click "Start Authentication").

Regarding #3, you will need to send at least one email from the domain to a DMARC-compliant receiver in order to ensure that a DMARC report will be generated.  The generated report will contain DKIM verification data. A few of the most common DMARC-compliant receivers are Gmail, Yahoo, Microsoft, and AOL; sending an email to any legitimate email address provided by any of those will suffice. (The actual email recipient and the contents of the email are not important.)

Regarding #4, if the email domain under question is "EXAMPLE.ORG" and you're signing this domain with DKIM signatures of a different domain (eg "SAMPLE.NET"), dmarcian.com will emit the "No DMARC reports received yet which confirm DKIM signing" message.  This is because there is no relation between EXAMPLE.ORG and SAMPLE.NET.   So, although your email might be signed, the domain used in the signatures might not match your DMARC domain.

Tags: