A DMARC policy allows for domain owners to assert several things in their policy record. One of these things is where to send reports if a message sent by your domain fails authentication. There are many third-party reporting agencies that help domain owners parse these reports to determine where non-compliant emails are sending from. While Constant Contact makes every effort to ensure that all of your emails are delivered in accordance with the industry standards for authentication, we've seen some reporting agencies have issues parsing messages when more than one DKIM signature is present.
Constant Contact DKIM signs all outbound email with a default DKIM key: d=auth.ccsend.com. When a customer opts to self-authenticate, we add a second key customized with the customer’s domain: d=customerdomain.com. As a result, there are two DKIM signatures that appear within the headers of the message. For this reason, multiple DKIM signatures are allowed within the DKIM framework.
Most ISPs (Internet Service Providers) or mailbox providers see both the default key (d=auth.ccsend.com) and the custom key (d=customerdomain.com), and will validate the message using both keys. There are some cases where these receiving domains stop after validating only the auth.ccsend.com DKIM signature. This causes the messages to appear to fail a DMARC check on the customerdomain.com and get reported to the DMARC reporting agencies
For our customers who sign with two DKIM authenticated domains and use DMARC p=reject, all email is typically delivered as aligned. This only appears to be a failure in the reporting.
When a DMARC policy is deployed, for most domains, you can configure a report to provide information on what email is failing authentication in accordance with your DMARC policy. These are defined as either:
Copyright © 2025 · All Rights Reserved · Constant Contact · Privacy Center