DKIM Failing

Ashley Brownfield

Hello! With the new Google and Yahoo changes requiring the DKIM and DMARC, our emails are being sent to Junk in Google. Blackbaud notified us of this change last year and we got the keys from Blackbaud and our IT made the changes necessary. We sent out our first email through Luminate since Google's change and it still went to junk for individuals.

Anyone else having this problem or are we the only ones? ?

Philip Nawrocki

@Ashley Brownfield I ran your domain through mxtoolbox and there is one error:

https://mxtoolbox.com/emailhealth/hopecancerresources.org/

I would run your domain name through a couple of these options on this site and get the fixes in. Then see what happens.

Thanks,

Phil

Ashley Brownfield

@Philip Nawrocki
Thanks so much! We were able to figure out the issue.

Magdalena Arteaga

@Philip Nawrocki Hi Philip, we are encountering a similar issue my organizations (poshusa.org) emails are being marked as spam following the DKIM implementation. I am still waiting to hear back from Blackbaud's team on our case, we've already observed a decline in donations raised by email. Do you have any insights regarding DKIM issues/resolution?

Philip Nawrocki

@Magdalena Arteaga everything on mxtoolbox looks good.

Have you tried:

You will need to send an email to what is listed on the site and it can help you troubleshoot.

Do you have DMARC and SPF records set up as well?

Let me know how the above goes and the other answers.

Thanks,

Phil

Magdalena Arteaga

@Philip Nawrocki Thanks for the information. I did run a test and it seems that we pass but had

an error see text in red on the below screenshot.

DMARC Results

--- Connection parameters ---
Source IP address: 2a01:111:f403:2409::701
Hostname: mail-dm6nam04on20701.outbound.protection.outlook.com
Sender: marteaga@poshusa.org

--- SPF ---
RFC5321.MailFrom domain: poshusa.org
Auth Result: PASS
DMARC Alignment: PASS

--- DKIM ---
Domain: poshusa.onmicrosoft.com
Selector: selector2-POSHUSA-onmicrosoft-com
Algorithm: n/a
Auth Result: PASS
DMARC Alignment: poshusa.onmicrosoft.com != poshusa.org

--- DMARC ---
RFC5322.From domain: poshusa.org
Policy (p=): quarantine
SPF: PASS
DKIM: FAIL
DMARC Result: PASS

--- Final verdict ---
DMARC does not take any specific action regarding message delivery. Generally, this means that the message will be successfully delivered. However, it's important to note that other factors like spam filters can still reject or quarantine a message.

---------------------
Thanks for using dmarctester.com
This free service is brought to you by URIports.com - DMARC Monitoring Reinvented.

Jeffrey Simpson

@Magdalena Arteaga

We are getting this due to the email message not being signed properly. I already checked the out key is right.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yfu.org;
s=sm; i=@yfu.org; h=FROM:Subject:TO:X-MailingID:Reply-To:
Message-ID:List-Unsubscribe:RPCampaign:Date:MIME-Version:
Content-Type; bh=wIWL/ZX6PR39f4ZV5ny4HTXcj2UHbJzgFfLQw6OI7ug=;
b=pFEJLVufALLk+fe1RNGWj4UBgKNuMmvTQyGHr27OlN3vxDwEIHgHTZM6tKE4py
6MlEX6cd/qe87vVlGhdZ/LKc9Dyyy5zTZBKUTHp2ItzMttfHYtL6TbSRr3KIKNXb
LhMCDPCQ3qiA1M2FvGbAx04u4g1U2uDaxIG9xsCZZSfZE=
Signed-by: rrorke@yfu.org
Expected-Body-Hash: wIWL/ZX6PR39f4ZV5ny4HTXcj2UHbJzgFfLQw6OI7ug=

Canonicalized header: from:"Youth For Understanding USA" <rrorke@yfu.org>
subject:Journey to Mongolia
to:"Jeffrey Simpson" <jeffsindc@gmail.com>
x-mailingid:00000::GP::bc3ec889-1d3d-4bb4-b651-bcb051de26f8::c612ce00-3ccb-4359-9278-06eb33f5775f::3b8cceb6-1ee9-42b9-b089-e95d8485f5f3::0
reply-to:rrorke@yfu.org
message-id:<fdb34e8a595849ee9d761a2a767e5e56@yfu.org>
list-unsubscribe:<mailto:mail+_smverp_.00000.GP.bc3ec889-1d3d-4bb4-b651-bcb051de26f8.c612ce00-3ccb-4359-9278-06eb33f5775f.3b8cceb6-1ee9-42b9-b089-e95d8485f5f3.0._smverp_.jeffsindc=gmail.com@blackbaudemail.netcommunity1.com>
rpcampaign:Blackbaud_126899516229458635545381219100876000768
date:Wed, 31 Jan 2024 10:01:30 -0500
mime-version:1.0
content-type:multipart/alternative; boundary="NextPart_07eaeb9e_3596_4f46_9832_bc23c7e1747a"

Public-Key: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMFke/nNuVD2bTNbm1eIya1eJfnXtY359PeeOAhf3FK0smWg2U+U8iYuXvwDxsJoLTg9xnhPe1TfSpZQ+AV/cvlmgWQQitwprKfTHCMMTKltLLUP3WkiJmpGoH6ENjzCA/qtixZW0GBWVryQ4r5VjtWWbmdm/Gpi0Ww03aXUkDkwIDAQAB;

DKIM-Result: fail (bad signature)

Magdalena Arteaga

@Philip Nawrocki I'm uncertain about the specific procedures involved in DKIM and DMARC, but I do have some questions: Assuming my IT department has correctly configured DKIM and DMARC, what additional measures does Blackbaud need to take to complete the authentication process?

Essentially, I'm seeking clarity on where the responsibility lies for resolving any troubleshooting issues—is it primarily on our end or theirs?

Magdalena Arteaga

@Jeffrey Simpson Can you tell me if the error needs to be fixed on my DNS server or Blackbaud?

Philip Nawrocki

@Magdalena Arteaga check these out:

https://bobcares.com/blog/dkim-result-fail-bad-signature/

https://powerdmarc.com/why-does-dkim-fail/
On this one look at DKIM Authentication Result Failures, number 2. That points towards BB.

Thanks,

Phil

Jeffrey Simpson

@Magdalena Arteaga

In my case they has issued the same Key to 2 of my domains. If you have 2 or more domains check them to see if the have the same key. You well need to put in a support ticket to get them to issue unique keys. The key is after p=.

TXT record sm._domainkey.<your domain>

Value "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7YM6X1CmDudKQr8RW0yGGcvd5rhfip5EwQjGHQ9olgKMlUcpVRpDrDPodQgy5DNpH7SkjZKogxVgHmUlPrDueCORYPwSyegUw7r4oFzHDCGKQPUJoikdhI7/mytt20kZdg1RLQWTXt8qP081FvbHsbyjxRq0nUmAExN1rmfixXwIDAQAB"

Ashley Brownfield

Hi everyone! I assume your DKIM issue got resolved? Ours finally did after going back and forth with our IT department and BB. Are your Luminate emails still being marked as spam even after getting everything fixed? If so, what did you do?

Our Luminate online emails are still being marked as spam by Google because its similar to emails you've received that were also marked as spam.

Magdalena Arteaga

@Ashley Brownfield Due to the prolonged resolution time for DKIM, email providers' algorithms learned to classify our email messages as spam. To mitigate this issue, we implemented three strategies:

1. We conducted a robocall to all our constituents with active email addresses. In the voice message, we asked them to check their spam folders and mark our emails as "not spam."
2. We added a pop-up box on our website titled “Are you getting our emails?” which directed visitors to a PDF with instructions on how to check their spam folders and mark our emails as "not spam."
3. We sent out an email message, hoping to reach the inboxes of some of our constituents and asked them to add our email address as a safe sender.

These actions helped improve our open rate, but it has not yet returned to previous levels.

Ashley Brownfield

@Magdalena Arteaga Thanks Magdalena!! We've completely switched over to utilizing the email feature in Raiser's Edge and even though they utilize the same DKIM, those don't get marked as spam.. ? I was hopeful there was something we could do to make it seem like we weren't like our previous emails to bypass that, but adding that extra engagement sounds great even just to add a little extra touch from us.