Troubleshooting DKIM issues for Google Workspace
If your legitimate emails are failing DKIM authentication, being rejected, or being marked as spam, there might be a misconfiguration in your email authentication records. To know the problem, you need to check your SPF, DKIM, and DMARC records. This guide is here to help you with checking misconfigurations in DKIM.
1. Verify if emails are passing DKIM checks
- Send a message from your domain and check the email headers to see if it passed DKIM.
- If it didn’t pass, try sending the email to a personal Gmail address to rule out problems with the recipient’s server.
- In Gmail, click ‘Show original’ for the email and check the DKIM status.
- Use Google’s Admin Toolbox Messageheader tool to check the DKIM status by entering the email headers.
2. Verify your DKIM key is correct at your domain provider
There is a limit of 255 characters with most of the DKIM TXT records. You can’t enter a 2048-bit key as a single text string with a 255-character TXT record limit. The DKIM key might be truncated or sent in the wrong order.
Here are the steps recommended to take care of this problem-
- Here’s a simplified version of those steps:
- Get the DKIM TXT record from your Admin console (e.g., google._domainkey).
- Go to the Google Admin Toolbox Dig tool and select ‘TXT.’
- Enter the DKIM record followed by a period and your domain name (e.g., google._domainkey.example.com).
- Compare the result with the value in your Admin console to ensure all characters are included and in the correct order. If so, the DKIM key can be divided into two parts.
3. Check message forwarding
If emails forwarded by you frequently fail DKIM checks, then there could be a problem with how a mail server forwards them.
Here is what senders can do-
- Ensure the email content was not altered in transit by finding the ‘Authentication-results:’ header. If it says ‘body hash did not verify’ next to DKIM, then it means the message was altered during transit.
- If you use an outbound gateway, ensure it doesn’t modify messages (like adding footers) since that can cause DKIM to fail.
Here’s what email recipients can do-
- Use Email Log Search to verify if the email was forwarded. If the message is reported as spam by someone else and not the original recipient, then it’s likely that it was forwarded.
- Contact the service that forwarded the message and ask if they can adjust how they forward it.
4. Get in touch with admins for servers rejecting DKIM-signed messages
Even if you have set up DKIM properly, messages can still be rejected or sent to spam. Here are the recommended steps-
- Contact the admin of the rejecting email server.
- Set up DMARC to receive DMARC reports. These reports give insights into your email activities, helping you know if an unauthorized entity is sending messages on your behalf. Careful monitoring of DMARC aggregate and forensic reports can also bring misconfigurations to the surface.
- If not using Google Workspace, avoid the DKIM length tag (l=) as it can be abused.
5. Check the character limit
If you’re using a 2048-bit DKIM key, you can’t enter it as a single text string due to the 255-character DNS limit. Follow these steps instead:
- Split the key into multiple text strings.
- Place each string in quotes.
- Enter each string one after the other in the TXT record Value field at your domain provider.
Alternatively, you can:
- Use a 1024-bit key by selecting that option when generating a DKIM key pair.
- Contact your domain host to see if they support TXT records longer than 255 characters. If they do, you can use a 2048-bit key following the DKIM key generation steps.
Note: Most domain providers support up to 49 TXT records, so avoid exceeding that limit.
How can DMARCReport help?
We at DMARCReport can help you manage and analyze thousands of complicated DMARC reports. We can also simplify the collection, reading, and interpretation of these XML reports and display them in an easy-to-understand format. This process offers insights into email authentication issues, including misconfigurations triggering DKIM failures. If you want to delegate the DMARC trouble to us, please feel free to contact us or book a demo.