The initial situation
During the evaluation of DMARC reports for a customer project, an unusual pattern was noticed. Analysis using the DMARC monitoring tool 25Reports revealed that a large proportion of outgoing emails passed the SPF check but failed the DKIM check.
At first glance, this result does not necessarily appear critical – after all, SPF was present. Nevertheless, this behavior does not correspond to what one would expect from a cleanly operated email infrastructure. In practice, emails usually pass both SPF and DKIM. Deviations are possible, but in most cases they can be explained technically.
For example, when an email is forwarded, the IP address of the sending system often changes when it is resent. Since SPF only checks the sender’s IP address against the SPF entries stored in the DNS, the SPF check often fails in such cases. The DKIM signature, on the other hand, often remains intact because it is linked to the content of the message and not to the transport route. However, when emails are forwarded, the DKIM signature may be removed or broken because the content of the email is changed.
The reverse case – SPF without DKIM – is uncommon and in many cases indicates problems on the sender’s side. This pattern dominated the reports in question.
Early analysis: Overview and detailed view
The 25Reports dashboard showed that a surprisingly high percentage of emails only passed the SPF check. DKIM signatures were completely missing from many messages. The aggregated view quickly made it clear that these weren’t just isolated outliers, but a structural problem.
A look at the detailed view of the reports provided clarity: NoSpamProxy instances operated on-premises were affected. In the case of the customer, it was found that only around 20% of emails were correctly signed with DKIM, while the majority were delivered without DKIM – even though all messages originated from the same environment.
No recipient problem
To rule out the possibility that this was an interpretation or restriction on the part of a single reporter, the results from 25 reports across various recipient systems were examined. The picture remained consistent: regardless of the target system or provider, the same DKIM behavior was observed.
This made it clear that the cause was not on the recipient side, but clearly lay with the sending system.
The cause: Version-related DKIM restrictions in older versions of NoSpamProxy Server
The actual cause finally became apparent when analyzing the software version used. The customer was using NoSpamProxy Server version 15.4. This and previous versions only sign DKIM for “regular” emails, i.e., messages that are actively sent by users or applications.
In this case, automatically generated emails were not provided with DKIM. These include so-called Delivery Status Notifications (DSN), for example:
Since these types of emails account for a significant proportion of the total email volume in many environments, this also explained the high proportion of emails that only passed SPF. The conspicuous authentication behavior was therefore not a misconfiguration, but a version-specific functional limitation that could only be clearly identified through detailed DMARC analysis with 25Reports.
The solution: Update to the latest version
This behavior has been corrected in NoSpamProxy version 15.5: Starting with this version, DSNs are also reliably signed with DKIM. After the update, the picture in the DMARC reports normalized, and the previously noticeable SPF-only shares disappeared completely—which was immediately reflected in the 25Reports evaluations.
NoSpamProxy Cloud customers not affected
A comparison with the cloud version reveals an interesting difference: this problem does not occur in NoSpamProxy Cloud, as updates are installed automatically there. All message types are consistently DKIM-signed without the need for manual intervention.
Conclusion
This case shows how important it is to carefully analyze DMARC reports in context. 25Reports not only provides percentages, but also allows you to identify patterns and search for specific causes. Missing DKIM signatures are not necessarily the result of a misconfiguration, but may well indicate version-specific limitations or unexpected system behavior.
In addition, 25Reports offers an alert that precisely mirrors the scenario described above: “Compliant emails with issues” informs users about emails that have failed either SPF or DKIM.
Especially with on-premises mail gateways, it is therefore worthwhile to regularly check which message types are actually DKIM-signed and whether the behavior of the software version used complies with current best practices.
From the perspective of the recipient – and ultimately deliverability – what matters is not whether DKIM is present somewhere, but whether all relevant emails are consistently authenticated.
Not yet using 25Reports?
25Reports finally makes DMARC easy. The solution takes care of all your DMARC monitoring needs – automatically, graphically, and of course, in compliance with GDPR. Try 25Reports now for 30 days free of charge!
