As stated in the HES Online Help, the value of DKIM is "the total number of messages that failed DKIM verification", while the value of DMARC - DKIM is "the total number of messages that failed DKIM signature check of DMARC authentication".
The difference in the number of detections lies in how HES count the detections. The logic is explained as follows:
- If both DKIM and DMARC checking are enabled, HES will check DKIM first before DMARC check.
- If the configured action for DKIM is either Delete or Quarantine, emails that fail DKIM checking will not go through DMARC-DKIM check anymore. They will count as the number of emails that fail DKIM check in the dashboard.
- If the configured action for DKIM is "Do not intercept messages", then all emails will go through both DKIM and DMARC checking. In the dashboard, if one email fails both DKIM and DMARC-DKIM check, it will count towards the DMARC-DKIM check only.
- According to RFC 7489 (DMARC Specification), the sender domain can specificy a DMARC check percentage in its DNS record through the PCT tag. It tells the receiving server how much of the incoming email volume from the sending domain should be subjected to DMARC checking. This may cause some emails that fail DKIM checking to skip/bypass DMARC checking. In this case, the email will be counted as DKIM detections in the Dashboard.
As a general rule, one email in HES will correspond to only one (1) count in the Dashboard regardless of how many filters or events it triggers.