How to Get Your ESP to Fix DKIM Authentication

You’ve set up DMARC. Reports are coming in. And you’ve discovered that one of your email service providers—your marketing platform, CRM, or transactional email service—is failing authentication. Your emails are going to spam or getting rejected.

Now you need to get them to fix it.

This guide will help you gather evidence, communicate effectively with support teams, and escalate when needed. Because vendor support reps don’t always understand DMARC, and vague requests get vague responses.

Why This Is Hard

Getting ESPs to fix authentication issues is frustrating because:

1. Support reps may not understand DMARC. They’re trained on their platform’s features, not email authentication protocols.

2. You’re speaking different languages. You say “DKIM alignment failure.” They hear “email problem.”

3. They can’t see your evidence. Your DMARC reports mean nothing to them without context.

4. It’s not their priority. Your authentication issue is one ticket among thousands.

5. Finger-pointing is easy. “Check your DNS” is a convenient deflection.

The solution: make it impossible to ignore. Clear evidence. Specific requests. Professional persistence.

Before You Contact Support

Step 1: Confirm the Problem Is on Their End

Before blaming your ESP, verify the issue isn’t your DNS configuration.

Check your DKIM record:

dig +short TXT selector._domainkey.yourdomain.com

Replace selector with your ESP’s DKIM selector (e.g., s1, k1, google, mandrill).

You should see a TXT record starting with v=DKIM1; containing a public key.

If the record exists and looks correct, the issue is likely:

• ESP isn’t signing emails with DKIM
• ESP is using a different selector than expected
• ESP’s private key doesn’t match the public key you published

If the record is missing or incorrect, the issue is your DNS. Fix that first.

Step 2: Gather Evidence

Support teams respond to specifics, not generalities. Collect:

From DMARC Reports

Data Point	Why It Matters
Source IP addresses	Identifies which of their servers is failing
Volume of failures	Shows the scale of the problem
Date range	Helps them correlate with their logs
Specific failure reason	DKIM fail vs. SPF fail vs. alignment failure
DKIM selector used	Confirms which key they’re signing with

From Email Headers

Get raw headers from a failing email:

Gmail: Open email → Three dots → “Show original”
Outlook: Open email → Three dots → “View” → “View message source”
Yahoo: Open email → Three dots → “View raw message”

Look for:

Authentication-Results: mx.google.com;
       dkim=fail (signature did not verify) [email protected] header.s=s1;
       spf=pass smtp.mailfrom=bounce.esp.com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com

This tells you:

• DKIM failed (“signature did not verify”)
• Which selector was used (header.s=s1)
• SPF passed but doesn’t help DMARC (different domain)
• DMARC failed as a result

Step 3: Identify the Specific Issue

Common authentication problems and their causes:

Symptom	Likely Cause	Who Fixes It
No DKIM signature present	DKIM signing not enabled	ESP
DKIM signature fails verification	Key mismatch or message modification	ESP
DKIM passes but DMARC fails	Alignment issue (d= domain doesn’t match From)	ESP (custom DKIM)
SPF passes but DMARC fails	Return-Path domain doesn’t match From	ESP (custom Return-Path)
Emails intermittently fail DKIM	Some servers not signing, key rotation issue	ESP

Step 4: Find the Right Documentation

Locate your ESP’s official authentication documentation. Having this ready shows you’ve done your homework and gives support a reference point.

Common ESP documentation links:

ESP	Documentation
SendGrid	Domain Authentication
Mailchimp	Email Domain Authentication
HubSpot	Email Authentication
Klaviyo	Domain Authentication
Amazon SES	Email Authentication
Postmark	Authentication Setup
Salesforce Marketing Cloud	Email Authentication

Contacting Support: The Right Way

Template: Initial Support Request

Use this template. Modify the specifics for your situation.

---

Subject: DKIM Authentication Failure - [Your Domain] - Affecting Deliverability

Body:

Hi,

I’m experiencing DKIM authentication failures for emails sent through [ESP Name] from my domain [yourdomain.com]. These failures are causing my emails to fail DMARC and be rejected or sent to spam at major providers including Gmail, Yahoo, and Microsoft.

Evidence of the Issue:

• Source IPs failing authentication: [List 2-3 IP addresses from DMARC reports]
• Date range observed: [Date range]
• Approximate volume affected: [Number] emails over [time period]
• DKIM selector in use: [selector name, if known]

Email header excerpt showing the failure:

Authentication-Results: [paste relevant section]

My DNS configuration:

• DKIM record at [selector]._domainkey.[domain]: [Paste record or confirm it exists]
• I’ve verified this record is publicly accessible via DNS lookup

What I need:

1. Confirmation that DKIM signing is enabled for my account/domain
2. Verification that the DKIM private key matches the public key in my DNS
3. If there’s a configuration issue, specific guidance on what DNS records I need to add or change

I’ve reviewed your documentation at [link] and believe my configuration is correct. Please investigate on your end.

This is impacting my email deliverability and is urgent. Please advise.

Best regards,
[Your Name]
[Account/Customer ID if applicable]

---

What Makes This Template Effective

1. Specific subject line - Won’t get lost in generic tickets
2. Evidence upfront - They can’t dismiss it as “user error”
3. IP addresses included - Lets them check their server logs
4. Headers provided - Proof of the authentication failure
5. DNS verified - Pre-empts “check your DNS” deflection
6. Clear ask - Three specific things you need
7. Documentation referenced - Shows you’ve done your homework
8. Urgency stated - Without being aggressive

Common Support Responses (And How to Counter Them)

“Please check your DNS configuration”

Counter:

I’ve verified my DNS records are correctly published. Here’s the output of a DNS lookup:

dig +short TXT s1._domainkey.mydomain.com
"v=DKIM1; k=rsa; p=MIIBIjANBg..."

The record exists and is syntactically valid. Can you confirm what record you expect to see at this location, and verify that your system is using the corresponding private key?

”DKIM is configured correctly on our end”

Counter:

If DKIM is configured correctly, can you explain why the email headers show dkim=fail? Here’s the authentication result from an actual email:

[Paste header]

Please send a test email from your system so I can inspect the DKIM signature and verify the selector being used.

”We don’t support custom DKIM” / “DKIM uses our domain”

Counter:

I understand. However, for DMARC compliance, I need DKIM alignment—the DKIM signing domain must match my From address domain. Since Google, Yahoo, and Microsoft now require DMARC alignment for bulk senders, I need either:

1. Custom DKIM signing on my domain, or
2. Documentation of any workarounds for DMARC compliance

If custom DKIM isn’t available on my current plan, what plan level includes this feature?

”This is working for other customers”

Counter:

I appreciate that, but I have specific evidence of failures from my account. The authentication results in my email headers and DMARC reports show consistent failures from IP addresses [list IPs] which belong to your infrastructure. Can you investigate why my specific account or configuration is experiencing these failures?

”Have you tried [basic troubleshooting step]?”

Counter:

Yes, I’ve completed basic troubleshooting:

• ✅ DNS records verified publicly accessible
• ✅ TTL has passed since any changes
• ✅ Records match your documentation
• ✅ Multiple test emails sent over several days
• ✅ Failures confirmed in DMARC aggregate reports

The issue persists. Can we escalate to your technical team to investigate server-side configuration?

Escalation Strategies

If initial support isn’t resolving the issue:

Level 1: Request Escalation (Day 3-5)

This issue has been open for [X] days without resolution. My emails continue to fail DMARC authentication, impacting deliverability to [X]% of my recipients.

Please escalate this to a senior technical support engineer or your email deliverability team. I’m happy to schedule a call to walk through the evidence.

Level 2: Contact Account Management (Day 7-10)

If you have an account manager or customer success contact:

Hi [Account Manager],

I’ve had an open support ticket (#[number]) for [X] days regarding DKIM authentication failures. Despite providing detailed evidence, the issue remains unresolved.

This is affecting my email deliverability and [business impact - e.g., “our customer communications,” “our marketing campaigns,” “our transactional receipts”].

Can you help expedite resolution or connect me with someone who can investigate the technical issue?

Level 3: Business Impact Statement (Day 10-14)

I need to escalate the urgency of this issue.

Business Impact:

• [X]% of our emails are being rejected or sent to spam
• We’ve received complaints from customers not receiving [type of email]
• Our domain reputation is being damaged
• We’re evaluating alternative providers if this can’t be resolved

I’ve been patient, but I need a resolution path with a concrete timeline. Please connect me with a technical manager or escalation team.

Level 4: Executive Escalation (Day 14+)

For enterprise accounts or severe issues:

• Ask for contact information for their VP of Customer Success or similar
• Post in their community forums (politely, with facts)
• Contact them via LinkedIn (professional, not complaining)
• Consider whether this ESP is the right fit for your needs

Specific ESP Troubleshooting

SendGrid

Common issues:

• Domain authentication not completed (verify CNAME records)
• Using “Automated Security” but records not propagated
• Link branding affecting authentication

Key questions to ask:

• “Is domain authentication fully verified for my sending domain?”
• “Which DKIM selector is being used for my account?”
• “Can you confirm my authenticated domain is set as the default?”

Mailchimp

Common issues:

• DKIM not enabled (requires CNAME records since March 2024)
• Using free email domain (Gmail, Yahoo) in From address
• Transactional emails (Mandrill) use different selectors

Key questions to ask:

• “Are my k1 and k2 CNAME records verified in your system?”
• “For Mandrill, are mte1 and mte2 records configured?”
• “Is there a delay between DNS publication and signing activation?”

HubSpot

Common issues:

• Email sending domain not connected
• CNAME records added but not verified in HubSpot
• Cloudflare proxy enabled (must be disabled for DKIM)

Key questions to ask:

• “Is my email sending domain showing as ‘Authenticated’ in domain settings?”
• “Can you verify the hs1 and hs2 DKIM records are being used?”
• “Is there a known issue with DKIM signing for my account?”

Amazon SES

Common issues:

• Easy DKIM not enabled after domain verification
• Custom MAIL FROM domain not configured (SPF alignment)
• Regional configuration (DKIM must be set up per region)

Key questions to ask:

• “Is Easy DKIM enabled and showing ‘Verified’ for my domain?”
• “Which AWS region is my sending configured in?”
• “Is my custom MAIL FROM domain verified for SPF alignment?”

Prevention: Avoiding Future Issues

Monitor Continuously

Don’t wait for complaints. Monitor:

• DMARC aggregate reports (daily/weekly)
• Authentication pass rates per source
• New sending sources appearing in reports

Document Everything

Keep records of:

• ESP configuration screenshots
• DNS records and when they were added
• Support ticket numbers and resolutions
• Test email headers showing passing authentication

Test After Changes

Whenever you or your ESP makes changes:

1. Send test emails to Gmail, Yahoo, and Outlook
2. Check authentication results in headers
3. Wait 24-48 hours for DMARC reports
4. Verify pass rates haven’t dropped

Establish Relationships

For critical ESPs:

• Know your account manager
• Attend their webinars (you’ll learn and they’ll know you)
• Provide feedback when things work well, not just when they don’t

When to Consider Switching ESPs

It may be time to switch if:

• Issue persists 3+ weeks with no resolution path
• ESP doesn’t support custom DKIM at all
• Support quality indicates deeper organizational issues
• Authentication problems are recurring, not one-time
• Your sending volume justifies an ESP with better support

Before switching:

1. Document the issue thoroughly for your records
2. Verify the new ESP supports the features you need
3. Plan for IP warming with the new provider
4. Don’t cancel until the new ESP is fully operational

---

Make Vendor Communication Easier

Verkh generates shareable dashboards you can send directly to your vendors. Instead of copying data into support tickets, share a live link showing exactly what’s failing and why. Vendors can see the evidence themselves—no more back-and-forth.

Start Free →

---

Remember: you’re not asking for a favor. You’re paying for a service that should work. Be professional, be persistent, and be armed with evidence.