MicrosoftMicrosoftWe've begun receiving 5.7.515 errors showing "Dkim= Fail". Every tester I've run our email through shows DKIM passing completely. All domains in the header match the sending domain. Any help?
For about a week now, we've also observed a slight occurrence of dsn=5.7.515 errors. Upon checking the logs, we found that 0.01% of all email sends resulted in "Dkim= Fail", while the remaining 99.9% were successfully delivered. The original messages in the actual bounce emails clearly had correct DKIM signatures, and all sender domains are the same, so we haven't been able to identify the cause of the DKIM=Fail errors. We'd appreciate any potential solutions.
This occurs because Microsoft uses very short DNS timeouts, if the DKIM controller doesn't receive the DNS reply quickly enought, then they will judge that DKIM fail.
Setting long TTL (at least 48h) on your DKIM records will help mitigate the problem.
I don't see how the TTL would affect that -- that just tells the DNS system how long to cache results. Nothing to do with how long it takes MS to fetch the records. . .
Please correct me if I'm wrong.
Microsoft definitely has a DNS bug related to SPF and DKIM evaluation, see posts here about it:
https://forum.dmarcian.com/t/dkim-verification-failures-microsoft-365-exchange-online/2679
https://www.linkedin.com/posts/activity-7250496295558090753-TKoR
https://www.linkedin.com/posts/activity-7257872173409648640-yD-Y?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAACWHZKwBD6Opt3weyOnlHqAOU3JlQ0FCucs
In normal cases (shown in the linkedin posts), a longer TTL would allow the DNS client to use cache more frequently (and longer) rather than querying upstream for the record, which significantly lowers DNS errors (temperrors) with email authentication. In Microsoft's case, TTLs longer than an hour for SPF/DKIM records has almost no effect on their DNS issue unfortunately (specific to the DNS bug).
