It’s not uncommon for DKIM or SPF records to be partially invalid. This can stem from a number of issues:
- occasionally, DNS glitches (receiver-side or sender-side) can lead to temporary authentication errors at specific ISPs
- invalid DKIM key or SPF record
- inadequate DKIM bit strength
- DKIM hash mismatch, sometimes caused by a forwarded message
- too many DNS lookups in SPF record
- new sending IP is provisioned but not included in an updated SPF record
When any of these issues are the case, we make sure to point out the specific ISPs that are having issues so you can better diagnose the problem.