We're making it easier to get around Constant Contact with a brand new left navigation. Not all accounts have that change yet, so if your navigation looks different from our articles, that's why–but everything from the top can now be found on the left!

Email and Digital Marketing
How can we help you?
Search our help articles, video tutorials, and quickstart guides

You've got this. You've got us. Search our Knowledge Base to quickly find answers to your questions.

DMARC reporting errors with self-authentication

Article: 000039493
Updated: November 27, 2023

Why you can see multiple DKIM signatures (double DKIM signing) in your DMARC reporting when you use self-authentication

A DMARC policy allows for domain owners to assert several things in their policy record. One of these things is where to send reports if a message sent by your domain fails authentication. There are many third-party reporting agencies that help domain owners parse these reports to determine where non-compliant emails are sending from. While Constant Contact makes every effort to ensure that all of your emails are delivered in accordance with the industry standards for authentication, we've seen some reporting agencies have issues parsing messages when more than one DKIM signature is present.


How Constant Contact signs email

Constant Contact DKIM signs all outbound email with a default DKIM key: d=auth.ccsend.com. When a customer opts to self-authenticate, we add a second key customized with the customer’s domain: d=customerdomain.com. As a result, there are two DKIM signatures that appear within the headers of the message. For this reason, multiple DKIM signatures are allowed within the DKIM framework.

 

How multiple DKIM signatures are reported

Most ISPs (Internet Service Providers) or mailbox providers see both the default key (d=auth.ccsend.com) and the custom key (d=customerdomain.com), and will validate the message using both keys. There are some cases where these receiving domains stop after validating only the auth.ccsend.com DKIM signature. This causes the messages to appear to fail a DMARC check on the customerdomain.com and get reported to the DMARC reporting agencies

For our customers who sign with two DKIM authenticated domains and use DMARC p=reject, all email is typically delivered as aligned. This only appears to be a failure in the reporting.

 

Different types of reporting

When a DMARC policy is deployed, for most domains, you can configure a report to provide information on what email is failing authentication in accordance with your DMARC policy. These are defined as either:

  • An Aggregate Report (RUA)
  • A Failure/Forensic Report (RUF)
Any issues with double DKIM reporting only show if an RUF report has been configured for the sender's domain. In most cases, these reports show a failure when the “d=auth.ccsend.com” is being read before the custom DKIM key provided by Constant Contact.


Questions?

Ask the Community

Did this article answer your question?


Constant Contact Logo

Copyright © 2025 · All Rights Reserved · Constant Contact · Privacy Center