Incapable

Being "DKIM - incapable" means that the vendor does not have the capability to DKIM-sign messages that they generate for you, where they use your domain in the From header of messages they send. Use of a DKIM signature with the same domain as that used in the From header is *required* in order for a message to pass DMARC on the DKIM leg. (DMARC overall can still pass if the SPF leg is correct)If your Detail Viewer is showing that DKIM passes with a signing domain of example.com, but *your* domain is acme.com, the indicated traffic cannot pass DMARC via DKIM signing.  Passing DMARC is still possible if SPF authentication passes, and is aligned.


Being "SPF - incapable" means that the vendor does not have the capability to use your domain, the one they use in the From header (or a subdomain of it) in the mail-from of the messages that they send for you.  Adding a sender's IP (or a vendor's include) to your SPF record only makes sense if they use your domain in the mail-from. The most common examples of this are for MailChimp, Cvent, iContact and ConstantContact - none of these organizations are capable of sending messages which pass DMARC on the SPF leg, so it is useless to have an entry for them in your domain's SPF record. If you are given guidance to add an SPF entry for a sender which dmarcian labels as SPF-incapable, there are 3 possible reasons in order of likelihood:

  1. The person or resource you are consulting is misguided/incorrect. This is the most common scenario.
  2. The sender is using the presence of the entry in your SPF record for non-SPF purposes, such as verification that they're allowed to send for your domain. This is very bad practice, but not all that rare. Ask your vendor if this is the case, ask them to use a different domain TXT record such as Google, Amazon, many others do.
  3. Dmarcian's data about this sender is out of date. Absolutely can happen, so let us know if you know that the given sender is 'Capable' but we list it otherwise.

If your Detail Viewer is showing that SPF passes with a domain of example.com, but *your* domain is acme.com, the indicated traffic cannot pass DMARC via SPF authentication checks.  This is an alignment failure, see related articles on that topic. Passing DMARC is still possible if DKIM authentication passes, and is aligned.

Related Articles