How does iCloud handle authentication (SPF, DKIM, DMARC)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You send a campaign, open rates look fine, but iCloud users just aren't getting your emails. Or they are, but they're landing in spam. Authentication is usually the first place to look. Here's what iCloud actually checks.
iCloud Mail evaluates all three major authentication checks the same way most modern mailbox providers do. It checks your SPF record to confirm the sending IP is authorized to send on behalf of your domain. It verifies your DKIM signature to confirm the message wasn't tampered with in transit. And it reads your DMARC policy to decide what to do when either of those checks fails.
The part that trips people up is alignment. It's not enough for SPF and DKIM to technically pass. The domain in those checks needs to match (or align with) the domain in your From address. A message sent from captain@deepcurrent.io using a subdomain like mail.deepcurrent.io needs to align back to deepcurrent.io for DMARC to pass. If alignment breaks, DMARC fails regardless of whether SPF and DKIM pass on their own.
iCloud does honor DMARC reject and quarantine policies. If your published policy says p=reject and a message fails alignment, iCloud will block it. If you're at p=quarantine, it'll likely land in spam. That's the system working as intended. The problem is when you've set a strict policy but your own sending streams (think your ESP, your CRM, or a third-party tool sending on your behalf) aren't properly signing with DKIM or aren't aligned. Then your policy is rejecting your own legitimate mail.
A few things worth knowing about iCloud specifically. Apple doesn't publish detailed postmaster documentation the way Gmail or Outlook do. There's no iCloud postmaster portal to check your reputation or see why something was filtered. What this means in practice is that you can't diagnose iCloud delivery issues from the outside. You're working from authentication pass/fail signals and your DMARC reports. (DMARC aggregate reports are actually your best window into what iCloud is seeing, and they're free.)
The short checklist for iCloud authentication:
- SPF record includes all IPs and services sending on your behalf (your ESP, transactional tool, CRM, etc.)
- DKIM signing is active on all those same services, ideally with a custom domain key, not just the ESP's default key
- DMARC record is published at minimum
p=nonewith aruatag so you're collecting reports - DMARC alignment is confirmed: your signing domain matches your From domain
If you want to see how your current setup looks, run it through our free DMARC Parser or SPF Checker. If something's failing and you can't work out why, the SOS hotline is free and we'll take a look with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.