Problem statement
Email is not delivered, or delivery is unreliable.
Symptoms
Emails are:
- not delivered at all
- delayed (several minutes to hours)
- marked as spam
Causes
- Using the built-in email provider in your tenant
- Email sending infrastructure or domain not configured correctly
Solution
Custom Email Provider
You must configure a custom email provider for successful email delivery. The built-in provider is for testing purposes only, and depending on overall load (it is a shared resource), the built-in provider may not even perform satisfactorily for testing.
Infrastructure and domain configuration
Email delivery today depends heavily on proper configuration of your domain and sending infrastructure.
Specifically, expect unpredictable email delivery unless the following standards are properly configured on your email domains:
- DKIM
- SPF
- DMARC
MXToolBox is a fantastic tool for diagnosing email delivery issues:
(this external link is unaffiliated with Okta/Auth0–the free tier should suffice for troubleshooting)
It has tools for analyzing DNS records related to DKIM, SPF, and DMARC, as well as a header analyzer that can be very helpful for pinpointing specific issues.
The vast majority of email delivery issues can be traced to incorrect or missing DKIM, SPF, and/or DMARC configurations.
The following links have some good introductory information on DKIM, SPF, and DMARC:
- DKIM: https://dmarcian.com/what-is-dkim/
- SPF: https://dmarcian.com/what-is-spf/
- DMARC: https://dmarcian.com/alignment/
(these external links are unaffiliated with Okta/Auth0)
Microsoft/Exchange specific issues
Microsoft email products are known to sometimes “quarantine” messages considered high risk. This is a step beyond simply marking the message as spam. In this case the message is accepted by Microsoft’s email infrastructure, but the user has no way to see it. Usually an administrator is able to view these messages in a special inbox. The message headers can be reviewed to determine the reason for the high spam score (often DMARC alignment failure).
When should I open a support case?
Please confirm you have configured a custom email provider, and your domain properly implements DKIM, SPF, and DMARC before contacting support.
If your messages aren’t delivered at all, Auth0 support can usually tell you if your messages are accepted by your custom email provider, and the error returned if they are not accepted. Delayed messages are usually caused by “downstream” issues that Auth0 engineers don’t have insight into, but we are happy to review your case and provide guidance on next steps.