Available in Classic and VPC
You might run into the following problems when using Cloud Outbound Mailer. Find out causes and possible solutions.
DKIM authentication issues
Learn how to diagnose and resolve DKIM authentication issues with Cloud Outbound Mailer.
DKIM authentication failure checklist
If DKIM authentication fails, check the following items in order:
Step 1: Verify prerequisites.
- Is domain authentication complete?
- Is the SPF record resolved correctly?
Step 2: Verify DKIM record registration.
- Is the TXT record registered on the correct host? (
{selector}._domainkey.{domain}) - Is the DKIM signature value split and registered in a multi-line format?
Step 3: Verify the selector.
- Are you using the correct selector for your environment and region?
Step 4: Verify record lookup.
- Is the record resolved using nslookup?
- Is the search result in multi-line format? (verify it is not a separate record.)
Step 5: Verify console settings.
- Is DKIM authentication complete?
- Did you click [Enable] for activation?
DKIM authentication failure
- DKIM authentication is not working.
- Email delivery fails due to DKIM authentication failure.
Cause
- The selector is incorrectly configured.
- The DKIM signature value is not registered correctly.
- The domain or SPF authentication record is missing.
Solution
Check the following items in order:
1. Verify domain and SPF authentication.
Records for domain and SPF authentication must be registered as a prerequisite for DKIM authentication. See View domain to verify that the domain authentication token value and SPF record are resolved.
2. Verify TXT record registration.
The DKIM signature value must be registered as a TXT record at the {selector}._domainkey host of the registered domain.
For example, if the domain is example.com and the selector is ncpcompubkr:
- Host:
ncpcompubkr._domainkey.example.com
- The DKIM signature value consists of 392 characters.
- As DNS TXT records have a 255-character limit per string, the syntax must be split into multiple strings enclosed in double quotes for registration.
- For Global DNS, TXT records exceeding 255 characters are automatically wrapped, allowing you to register the signature value as is. For more information, see Global DNS.
- If your DNS service provider does not support registering TXT records exceeding 255 characters, contact that provider and request support.
- Cloud Outbound Mailer supports only 2,048-bit DKIM signatures for enhanced security. Use a 2,048-bit DKIM key.
3. Verify the selector.
Selectors vary depending on the environment and region. For instructions on verifying the selector, see DKIM authentication.
| Environment | Region | Selector |
|---|---|---|
| Private | Korea (KR) | ncpcompubkr |
| Private | Japan (JP) | ncpcompubjpn |
| Private | Singapore (SG) | ncpcompubsgn |
| Financial | Korea (KR) | ncpcomfin |
| Public | Korea (KR) | ncpcomgov |
4. Verify record lookup.
Enter the following command to confirm that the DKIM signature value is registered correctly:
# Using nslookup
$ nslookup -q=txt ncpcompubkr._domainkey.example.com
# Using dig
$ dig txt ncpcompubkr._domainkey.example.com
Correct registration (multi-line format)
ncpcompubkr._domainkey.example.com text = "v=DKIM1;k=rsa;p=MIIB..." "..."
The result must be returned as a single record in multi-line format consisting of 2 string blocks.
Incorrect registration (separate records)
ncpcompubkr._domainkey.example.com text = "v=DKIM1;k=rsa;p=MIIB..."
ncpcompubkr._domainkey.example.com text = "..."
If registered as separate records as shown above, DKIM authentication may fail or results may alternate between success and failure. Re-register in the multi-line format. For instructions on splitting TXT record registration, contact your domain service provider.
5. Verify DKIM authentication settings.
Check the DKIM authentication status in the console and verify that it is enabled. After authentication is complete, click [Enable] to activate it so that DKIM authentication functions properly when sending emails. For more information, see DKIM authentication.
- After authentication is complete, clicking [Enable] for activation changes the button to [Disable] and displays the "Enabled" status.
- Modifying or deleting an authenticated record may cause authentication to fail when sending emails. Therefore, keep the records registered for authentication unchanged.
DKIM authentication failure despite signature value retrieval
The DKIM signature value is successfully retrieved, but DKIM authentication fails.
Cause
- Records for domain or SPF authentication are either incorrectly registered or missing.
- DNS record changes may be in the process of propagating.
Solution
To perform DKIM authentication, all records for the domain and SPF authentication must be registered. See View domain to verify that the domain authentication token value and SPF record are resolved.
Pending DNS record propagation
If records are registered correctly but authentication fails, it may take time for DNS record changes to propagate. Retry authentication after waiting for a period of time (typically several minutes to a maximum of 24 hours).
- Propagation time differences by DNS server: Propagation time may vary depending on the DNS server being queried. Authentication may fail if records have not yet been propagated to the internal authentication server, even if a manual query returns the correct record.
- Time to Live (TTL) cache: If a long TTL was set during the previous record registration, the existing record may be cached and returned during a query. In this case, the new record will be successfully retrieved after the TTL expires.
- Record update: Forced record updates are not supported internally. We recommend setting an appropriate TTL value (e.g., 300 to 3,600 seconds) when registering records.
Alternating success and failure during email delivery
- DKIM authentication complete.
- Delivery results alternate between success and failure during email delivery.
Cause
- If the DKIM signature value is registered as multiple separate records, delivery success and failure may alternate.
- As the order of DNS record search results is not guaranteed, DKIM authentication may succeed or fail based on the order of return.
Solution
See View domain to check if the DKIM signature value is registered correctly.
Record lookup and verification
$ nslookup -q=txt ncpcompubkr._domainkey.example.com
Correct format (multi-line in a single record)
ncpcompubkr._domainkey.example.com text = "v=DKIM1;k=rsa;p=MIIB..." "..."
Incorrect format (split into separate records)
ncpcompubkr._domainkey.example.com text = "v=DKIM1;k=rsa;p=MIIB..."
ncpcompubkr._domainkey.example.com text = "..."
If registered as separate records, the order is not guaranteed during DNS lookup, resulting in alternating delivery success and failure. The record must be re-registered as a single record in multi-line format. For instructions on splitting TXT record registration, contact your domain service provider.
SPF authentication failure
SPF authentication fails.
Cause
SPF information is incorrectly registered in the domain's TXT record, or there is a formatting issue.
Solution
To check the TXT record for the registered domain:
- Enter the following command to look up the SPF record registered for the domain:
nslookup -q=txt example.com - Check if the SPF record is retrieved as a single string block, as shown below.
- The search result must show the SPF record registered as a single string enclosed in double quotes.
example.com text = "v=spf1 include:email.ncloud.com ~all"
If you're still having trouble finding what you need, click on the feedback icon and send us your thoughts and requests. We'll use your feedback to improve this guide.