Zoho CRM Troubleshooting Email Authentication

Zoho CRM Troubleshooting Email Authentication

How to fix the error which says "DKIM record missing"?


After entering the public key value in you domain settings page, go to https://zohomail.tools/#domainDetails and select TXT. Enter the public key value you generated in CRM and select Lookup.

  1. If the DKIM key is not populated, then the key has not been updated properly. Enter the public key in the Host/domain name column without your domain name. For example, enter the host name as: 1522905413783._domainkey instead of 1522905413783._domainkey.zohosupport.com. If the issue persists, contact our support team (support@zohocrm.com).
  2. If the DKIM is populated but you are still getting the "DKIM record missing" error, wait for 24 hours and then select Validate record in the CRM. If the issue persists even after 24 hours, contact support (support@zohocrm.com).

Why am I getting SPF record Validation Failure?

Having multiple SPF records can interrupt the SPF check which may cause validation failure. As a result, the emails may end up as Spam in the recipient servers. We recommend not to add a new record if you already have one.

Make sure that there is only one SPF entry in the Domain Settings page. If you have already added SPF for another application, make sure that CRM SPF is also added in the same record. 
Adding two separate SPF records is not valid. If there are two or more SPF records, merge the values into a single record and verify it.

Go to https://zohomail.tools/#domainDetails, select TXT, enter the public key value you generated in CRM and select Lookup. 
For example: 
1. If two SPF records are added like this:
"v=spf1 include:transmail.net ~all"
"v=spf1 include:zcsend.net ~all"
Then add them as:
v=spf1 include:transmail.net include:zoho.com include:zcsend.net ~all

2. If two SPF records are added like this
"v=spf1 include:spf.protection.outlook.com include:transmail.net ~all"
"v=spf1 include:transmail.net ~all"
Then add them as:
v=spf1 include:spf.protection.outlook.com include:transmail.net ~all

3. If two SPF records are added like this
"v=spf1 include:spf.sendinblue.com mx ~all"
"v=spf1 include:transmail.net.in ~all"
Then add it as:
v=spf1 include:spf.sendinblue.com mx include:transmail.net.in ~all
If the SPF is populated but you still get the "SPF record missing" error, wait for 24 hours and then select Validate record in the CRM. If the issue persists after 24 hours, please contact our support team  (support@zohocrm.com).

What is SPF alignment and why might it fail?

When an email is sent, its sender ID is validated and then its SPF and DKIM records are aligned. Complying with DMARC policy tells the recipient systems that the email sender has done something that only an authentic sender can do: align the DKIM and/or SPF domain with the “From” domain that the recipient sees.
If you're sending emails through your business domain as the "From" domain, DMARC will compare it with the "Envelope From" (also known as "Return-Path") domain. If both the domains or their subdomains match, SPF is aligned.

Does SPF alignment failure impact email deliverability?

If the domain in the Return-Path header is the same as the domain in the "From" address, then the SPF alignment will pass. If they are different, the SPF alignment will fail.
For example:
If the user dinaash@zylker.com sends emails from Zoho CRM, the email is sent from Zoho CRM's email server on behalf of dinaash@zylker.com. For bounce tracking purposes, CRM will set a notifications.zohocrm.com email address as the Return-Path header. As the domain in the Return-Path header is "notifications.zohocrm.com", which does not match the domain in the From address ("zylker.com") the SPF alignment will fail.

This means you will see the following message:

"zohocrm.com is authorized to send on behalf of zylker.com, however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. Since the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test."

As DMARC requires either SPF or DKIM alignment, the solution would be to either change the Return-Path header in Zoho CRM or add an aligned DKIM signature. Changing the Return-Path header in Zoho CRM is not possible as we need to track the bounced emails, so the only option is to configure email authentication. If DKIM authentication is complete, you will pass the DMARC check even without SPF alignment.
    • Related Articles

    • Zoho CRM Troubleshooting Email Relay

      1. Why am I getting an authentication failure error? Make sure that the password you entered is correct. To verify the password, log in to your webmail with the same password by typing in the password instead of using auto-fill. Check whether TFA is ...
    • Zoho CRM Troubleshooting Module Customization

      Troubleshooting Modules and Fields 1. Why does the editor go from top to bottom instead of left to right when I click the Tab key while creating or editing a record? The order depends on the Tab Order Preference set by the Admin for each particular ...
    • Troubleshooting Zoho Backstage integration with Zoho CRM

      1. Why am I unable to integrate Zoho Backstage with Zoho CRM? By default in your CRM, those who have admin level permissions or an admin profile have access privilege for extensions. You won't be able to integrate marketplace apps into your CRM ...
    • Zoho CRM Troubleshooting Mass Emails

      1. How can I see how many records are eligible to be sent mass emails? Open the List View, filter the records using the smart filter for "email is not empty", "email is not blocked", "email opt out is not selected". This will give the exact number of ...
    • Troubleshooting Zoho Campaigns integration with Zoho CRM

      1. Why aren't all of my contacts syncing between Zoho CRM and Campaigns? There can be a few reasons why your Zoho CRM contacts are not syncing in Campaigns. No email address has been entered in your customer account: Double check to ensure there is ...