Sending email with ACS: DKIM, DMARC configuration

Question

Sending email with ACS: DKIM, DMARC configuration

DonQuijote 61

I send email with ACS email service using a custom domain for which I have verified the Domain, SPF and DKIM, Dkim2.

The verification status on ACS for DKIM indicates

{"status": "Verified",
    "errorCode": "None"}

When I send email to users on outlook the recipient message says: Authentication-Results with dkim=fail (no key for signature)

When I send email to users on gmail the recipient message says:

SPF: PASS

DKIM: 'PASS'

DMARC: 'FAIL'

Other recipients indicated: dkim=hardfail (signature did not verify [final])

I would need help troubleshooting the DKIM and potentially DMARC setup for my domain with ACS

Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-05T14:36:38.06+00:00
DKIM alignment may fail - even though the DKIM record is valid, the domain in the DOMAIIN.com part of the DKIM signature is not known from the "address domain" required by the domain DMARC.

The DMARC fails if either SPF or DKIM does not align with domains - even if DKIM or SPF passes freely, DMARC requires alignment with the "header" header.

Outlook "No key to Signature" cannot find the correct DKIM public key in DNS that often receives the means receiving (due to the delayed DNS proliferation, wrong selectors, or TTL issues).

DKIM and DMARC setup for your domain with Azure Communication Services (ACS),

DKIM verification:

Ensure that the DKIM records are set correctly in your DNS. You can use the NSLOOKUP command to verify the DKIM record. For example:

nslookup set q=TXT selector1-azurecomm-prod-net._domainkey.yourdomain.com selector2-azurecomm-prod-net._domainkey.yourdomain.com

If the DKIM records are missing or wrong, the ACS DKIM will not be able to verify the signature, allowing "DKIM = FAIL" or "Dkim = Hardfail" message you are looking at.

SPF and DMARC configuration:

Verify that your SPF record is correctly configured. It should look something like this

v=spf1 include:spf.protection.outlook.com -all

Ensure that the DMARC record is also set properly in your DNS. A specific DMARC record can look like this:

v=DMARC1; p=reject; rua=mailto:******@yourdomain.com

Ensure that the DMARC policy is set to "P = reject" or "P = quarantine" to implement strict investigations.

Testing:

After making any changes, re -test your email configuration. Use devices such as mail-tster.com or similar services to check the DKIM, SPF and DMARC status of your email.

Common Issues:

If the DKIM fails, check that the private key used to sign an email corresponds to the public key published in your DNS.

For DMARC failures, make sure that the domain is necessarily "address" and "address" from the match by DMARC.
https://learn.microsoft.com/en-us/azure/communication-services/concepts/email/email-domain-configuration-troubleshooting#3-unable-to-verify-dkim-or-dkim2-status

https://learn.microsoft.com/en-us/azure/communication-services/concepts/email/email-authentication-best-practice#email-authentication-and-dns-setup
if you have any further concerns or queries, please feel free to reach out to us.
Suresh Chikkam 2,135 Reputation points Microsoft External Staff Moderator

2025-05-06T12:29:23.89+00:00
Hi DonQuijote,

In addition to the above suggestion, I did some deeper checks. One thing I noticed is that even though the DKIM record shows as verified in ACS, the DMARC failures seem to stem from domain alignment issues especially when the From domain doesn’t exactly match the domain in the DKIM signature. This can happen subtly, like if a subdomain is used inconsistently.

Also, I looked into the full email headers from Gmail and Outlook, and it seems the DKIM signature is being applied, but there could be a mismatch or even a slight header/body modification during sending that causes it to fail verification. I'm considering whether something in our sending flow might be rewriting parts of the message before it's signed.

Lastly, since DNS records were updated recently, there's a small chance this is also related to DNS propagation delays or caching at the recipient's end.

check that your DKIM public key is correctly published in your DNS records. You can use tools like MXToolbox DKIM Lookup to verify.

Ensure your DMARC policy (p=) is correctly set in your DNS TXT record. A common setup is:

v=DMARC1; p=none; rua=mailto:your-reporting-email@example.com; ruf=mailto:your-reporting-email@example.com; pct=100;
DonQuijote 61 Reputation points

2025-05-06T13:39:56.54+00:00

The issue is still taking place, I can add that this happens when sending the emails via ACS using SMTP, however if I send the email using .NET SDK's EmailClient then DKIM checks pass as expected
DonQuijote 61 Reputation points

2025-05-06T17:16:16.3166667+00:00

I can confirm I tried the suggestions above and I still get DKIM errors when sending email via ACS using .NET SmptClient. I can send the same email using EmailClient and DKIM works as expected so it looks not an issue with DNS configuration but potentially an issue with SMTP sending via ACS. This issue is relatively recent (few weeks) and in the past I was able to send via ACS Smtp without DKIM problems. I agree it looks like something on the sending flow could be altering the email and making the DKIM checks to fail. Is is possible that a change has been recently applied to ACS - SMTP sending recently? Thanks for your help on this
Suresh Chikkam 2,135 Reputation points Microsoft External Staff Moderator

2025-05-07T06:58:54.3766667+00:00

DonQuijote, Thanks for sharing that update. it’s really helpful to know you tested both SMTP and the EmailClient SDK. Since DKIM works properly with EmailClient but fails with SmtpClient, that strongly suggests the issue lies in how SMTP messages are being formatted or handled before DKIM signing by ACS. It’s possible that the SMTP path introduces slight variations in headers or encoding that break DKIM signature validation especially if something like Content-Transfer-Encoding or header order is altered. Given that this behavior is recent, it could also point to a backend change in how ACS processes SMTP traffic.
DonQuijote 61 Reputation points

2025-05-07T15:12:26.09+00:00

@Suresh Chikkam , thank you for further looking into this. Since this issue with SMTP is recent and it was working correctly before. Do you think it would be possible to reach out to the ACS product team within Microsoft and ask if there have been recent changes or if they are aware of these types of issues?
Suresh Chikkam 2,135 Reputation points Microsoft External Staff Moderator

2025-05-12T10:15:26.27+00:00

Thanks again for the update, DonQuijote.

The fact that this issue only appears via SMTP and not with the EmailClient SDK strongly indicates it's not a DNS or configuration issue on your end, but rather something specific to how SMTP messages are processed.

While I don’t have confirmation of any backend changes from the ACS product team at this time, your observations are very valid. Based on the behavior and recent change in outcome, this may be an internal handling variation introduced recently on the SMTP path.

The analysis and troubleshooting shared above including the testing across different clients will definitely be helpful for others in the community who might face similar DKIM or DMARC alignment issues when using SMTP with ACS.

If the initial concern has been addressed through this discussion and the workaround using the SDK works reliably, feel free to click Accept Answer to close the loop.
DonQuijote 61 Reputation points

2025-05-19T07:27:47.1066667+00:00

Hi @Suresh Chikkam , I don't see an option to "Accept Answer" I will write a quick summary as answer
DonQuijote 61 Reputation points

2025-05-19T07:29:04.3666667+00:00

The solution was to use EmailClient SDK instead of SMTP.

Since DKIM works properly with EmailClient but fails with SmtpClient, that strongly suggests the issue lies in how SMTP messages are being formatted or handled before DKIM signing by ACS. It’s possible that the SMTP path introduces slight variations in headers or encoding that break DKIM signature validation especially if something like Content-Transfer-Encoding or header order is altered. Given that this behavior is recent, it could also point to a backend change in how ACS processes SMTP traffic.

Accepted answer

0 additional answers

Your answer

Suresh Chikkam 2,135 Reputation points Microsoft External Staff Moderator

2025-05-06T12:29:23.89+00:00

Hi DonQuijote,

In addition to the above suggestion, I did some deeper checks. One thing I noticed is that even though the DKIM record shows as verified in ACS, the DMARC failures seem to stem from domain alignment issues especially when the From domain doesn’t exactly match the domain in the DKIM signature. This can happen subtly, like if a subdomain is used inconsistently.

Also, I looked into the full email headers from Gmail and Outlook, and it seems the DKIM signature is being applied, but there could be a mismatch or even a slight header/body modification during sending that causes it to fail verification. I'm considering whether something in our sending flow might be rewriting parts of the message before it's signed.

Lastly, since DNS records were updated recently, there's a small chance this is also related to DNS propagation delays or caching at the recipient's end.

check that your DKIM public key is correctly published in your DNS records. You can use tools like MXToolbox DKIM Lookup to verify.

Ensure your DMARC policy (p=) is correctly set in your DNS TXT record. A common setup is:

v=DMARC1; p=none; rua=mailto:your-reporting-email@example.com; ruf=mailto:your-reporting-email@example.com; pct=100;
DonQuijote 61 Reputation points

2025-05-06T13:39:56.54+00:00

The issue is still taking place, I can add that this happens when sending the emails via ACS using SMTP, however if I send the email using .NET SDK's EmailClient then DKIM checks pass as expected
DonQuijote 61 Reputation points

2025-05-06T17:16:16.3166667+00:00

I can confirm I tried the suggestions above and I still get DKIM errors when sending email via ACS using .NET SmptClient. I can send the same email using EmailClient and DKIM works as expected so it looks not an issue with DNS configuration but potentially an issue with SMTP sending via ACS. This issue is relatively recent (few weeks) and in the past I was able to send via ACS Smtp without DKIM problems. I agree it looks like something on the sending flow could be altering the email and making the DKIM checks to fail. Is is possible that a change has been recently applied to ACS - SMTP sending recently? Thanks for your help on this
Suresh Chikkam 2,135 Reputation points Microsoft External Staff Moderator

2025-05-07T06:58:54.3766667+00:00

DonQuijote, Thanks for sharing that update. it’s really helpful to know you tested both SMTP and the EmailClient SDK. Since DKIM works properly with EmailClient but fails with SmtpClient, that strongly suggests the issue lies in how SMTP messages are being formatted or handled before DKIM signing by ACS. It’s possible that the SMTP path introduces slight variations in headers or encoding that break DKIM signature validation especially if something like Content-Transfer-Encoding or header order is altered. Given that this behavior is recent, it could also point to a backend change in how ACS processes SMTP traffic.
DonQuijote 61 Reputation points

2025-05-07T15:12:26.09+00:00

@Suresh Chikkam , thank you for further looking into this. Since this issue with SMTP is recent and it was working correctly before. Do you think it would be possible to reach out to the ACS product team within Microsoft and ask if there have been recent changes or if they are aware of these types of issues?
Suresh Chikkam 2,135 Reputation points Microsoft External Staff Moderator

2025-05-12T10:15:26.27+00:00

Thanks again for the update, DonQuijote.

The fact that this issue only appears via SMTP and not with the EmailClient SDK strongly indicates it's not a DNS or configuration issue on your end, but rather something specific to how SMTP messages are processed.

While I don’t have confirmation of any backend changes from the ACS product team at this time, your observations are very valid. Based on the behavior and recent change in outcome, this may be an internal handling variation introduced recently on the SMTP path.

The analysis and troubleshooting shared above including the testing across different clients will definitely be helpful for others in the community who might face similar DKIM or DMARC alignment issues when using SMTP with ACS.

If the initial concern has been addressed through this discussion and the workaround using the SDK works reliably, feel free to click Accept Answer to close the loop.
DonQuijote 61 Reputation points

2025-05-19T07:27:47.1066667+00:00

Hi @Suresh Chikkam , I don't see an option to "Accept Answer" I will write a quick summary as answer
DonQuijote 61 Reputation points

2025-05-19T07:29:04.3666667+00:00

The solution was to use EmailClient SDK instead of SMTP.

Since DKIM works properly with EmailClient but fails with SmtpClient, that strongly suggests the issue lies in how SMTP messages are being formatted or handled before DKIM signing by ACS. It’s possible that the SMTP path introduces slight variations in headers or encoding that break DKIM signature validation especially if something like Content-Transfer-Encoding or header order is altered. Given that this behavior is recent, it could also point to a backend change in how ACS processes SMTP traffic.

Answer 1

Thanks so much for taking the time to share your findings, DonQuijote. This kind of follow-up is really valuable for the community, especially for others troubleshooting email authentication issues with Azure Communication Services (ACS).

Since Microsoft Q&A has a policy that the question author can’t mark their own answer as accepted (see policy), I’m summarizing your solution here so you can mark it as the accepted answer if it fully addressed the issue.

Based on your testing, it looks like the DKIM failures were specific to sending emails through the ACS SMTP endpoint. Switching to the EmailClient SDK resolved the problem, suggesting that the SDK handles message formatting and signing in a way that maintains DKIM integrity whereas SMTP might be introducing subtle changes (like in header encoding or order) that cause DKIM verification to fail on the recipient side.

This distinction is especially important for those relying on DKIM and DMARC compliance, since alignment issues can impact deliverability and domain reputation. It’s also useful to note that this issue seems to be recent, so it could potentially be related to updates in ACS’s SMTP pipeline.

Hope it helps!

Please do not forget to click "Accept the answer” and Yes

User's image

If you have any other questions, let me know in the "comments" and I would be happy to help you.

SkillBuilder 0 Reputation points

2025-05-26T04:18:46.56+00:00

Still happening as of 25 May 2025. DKIM fails only when we send through the ACS SMTP endpoint; the same domain passes DKIM when we send through the ACS EmailClient SDK. Tested with several SMTP libraries and raw curl, and DNS records are correct. Looks like a recent regression in the SMTP path. Please reopen this and escalate to the ACS team. Thanks @DonQuijote for raising this issue.

Share via

Sending email with ACS: DKIM, DMARC configuration

0 additional answers

Your answer