Namecheap, Inc limits DNS TTL to 3600 seconds, and Microsoft’s delayed DKIM evaluation turns this into a serious issue for corporate deliverability and email security.

As investigated by Mark Alley a few months ago, Microsoft has increasingly been returning temperror and permerror for DKIM validation - often because the TTL has expired and the key is no longer cached by the time Microsoft attempts to validate it.

If DMARC is set to quarantine or reject, these errors can cause legitimate messages to be flagged as spam or rejected - even if the DKIM record was valid at the time of sending.

If DMARC is in none mode, this opens the door to spoofing attacks, leading to degraded domain reputation and poor inbox placement.

Until Microsoft improves its DKIM evaluation logic, I recommend that domains using Namecheap’s DNS be migrated to a more reliable provider - such as Cloudflare or Amazon Route 53.