You might want to read up on asymmetric cryptography. The DNS record contains the public key, not the private key used for signing DKIM. learndmarc.com

This is one of the most inaccurate and confusing DMARC infographics I’ve seen. It appears to be created either by someone unfamiliar with the standard or by a flawed AI tool.

Started my day with a smile... Thanks. To work around the limit, use subdomains or SPF macros: www.uriports.com/blog/spf-mac...

Shameless plug: check out my URIports.com — it analyzes and aggregates your reports, notifies you only when something needs attention, and starts at just $12/year!

I tried the same with SFP and DMIK — shockingly, still no luck. These protocols are *so* picky about spelling!

Sure there is: dmarcvendors.com. If you are looking for a SAAS, have a look at mine: uriports.com

RFC 7489 does not mention "forensic reports" anywhere. Section 7.3 refers to "failure reports," which can be used for forensic analysis. To avoid confusion—especially among those new to email authentication—we should use the correct terminology.

Failure reports are incorrectly referred to as "Forensic Reports,". Additionally, the explanation of "Relaxed Alignment" could be improved as it means that subdomains are ignored for alignment purposes, and as long as the Organizational Domain matches, the identifier will pass alignment.

DMARC: Instructs receiving mail servers (MTAs) on how to handle messages when *BOTH* SPF and DKIM checks fail, and provides detailed reports. Additionally, DMARC checks alignment between the domain used for authentication and the domain in the RFC5322.From header. 👉 learnDMARC.com

This isn't a DMARC monitoring tool; it simply validates the email authentication of a message you send to it. In contrast, a DMARC monitoring service provides insight into all email traffic claiming to come from your domain.

Here’s mine: uriports.com/dmarc — feature-rich, privacy-first, and easy to use. Affordable too: starting at just $12 per year, with a free 30-day trial and no payment details needed.

There’s even an AI-narrated podcast at the top of the post for those who prefer listening over reading.

I've created a few resources that might help: LearnDMARC.com visualizes the authentication process between servers, and this blog post uses an easy-to-understand analogy to explain SPF, DKIM, and DMARC: www.uriports.com/blog/introdu....

MTA-STS-POLICY Check incorrectly identifies the policy as being in testing mode, even though it is set to enforce. Consider adding an explanation that the site’s inability to detect DKIM doesn’t necessarily mean DKIM isn’t configured or working correctly. Do you check for all common selectors?

Have you tried my learndmarc.com ?

Even if a domain is not used for email, enabling DMARC helps prevent spoofing. It is also essential to configure SPF, DKIM, and DMARC for parked domains. www.m3aawg.org/sites/defaul...

No DMARC policy and a SoftFail SPF policy? Here is a link to email authentication best practices: www.uriports.com/blog/spf-dki...

The DKIM signature is typically added by the sending MTA, so it does not require manual intervention.