Troubleshoot DKIM Issues
From: https://support.google.com/a/answer/11612790?
sjid=16475661690433716483-NC
Troubleshoot DKIM issues
Protect against spoofing & phishing, and help prevent messages from being
marked as spam
Follow the troubleshooting steps in this article if messages sent from your
domain are:
- Not passing DKIM authentication
- Rejected by receiving servers
- Sent to recipients’ spam folders
Many DKIM issues can be identified and resolved by following the steps in this
article.
Verify DKIM is set up correctly
Verify DKIM is set up correctly by following the steps in Turn on DKIM for
your domain:
Verify messages pass DKIM authentication
Email message headers have the results of DKIM authentication check. Check
whether messages sent from your domain pass DKIM authentication.
Recommended steps:- If messages don't pass DKIM authentication, try sending to another recipient,
for example a personal Gmail address. This can help you rule out issues with the
receiving server.
- Check the headers in a message sent from your domain to verify it passed DKIM.
- In Gmail, click Show original for a message, then check the DKIM status in
the original message. Learn more about checking message headers in Gmail.
- Enter message headers into Google Admin Toolbox Messageheader tool and check
the DKIM status.
Verify your DKIM key is correct at your
domain provider
Most TXT records can have up to 255 characters. You can’t enter a 2048-bit
key DKIM keys as a single text string with a 255-character TXT record limit.
Your DKIM key might be truncated, or your DKIM records might be sent out of
order.
Recommended steps:- If you’re not able to enter your entire DKIM value as a single text
string, follow the steps DKIM keys and TXT record limits.
- Compare the DKIM record value at your provider with the value in your Admin
console, and verify your DKIM key is correct:
- Get the TXT record value from Admin console, for example google._domainkey.
- Go to the Google Admin Toolbox Dig tool.
- Click TXT
- Enter the TXT record value from Step 1, then add a period (.) and your
domain name to this value.
For example, if your domain is solarmora.com and the
TXT record value is google._domainkey, enter: google
._domainkey.solarmora.com
- Compare the results to the value in your Admin Console. If all key
characters are included and in the correct order, the DKIM key can be in 2 parts.
Check message forwarding
Even when DKIM is correctly set up for your domain, forwarded messages can
fail DKIM. This can be a result of how a mail server forwards messages.
Recommended step for email senders:- Make sure the message wasn’t changed during transit. Find the part of
the message header that starts with Authentication-Results. If the text next
to the dkim entry is body hash did not verify, the message was modified
during transit.
- If you use an outbound gateway, make sure it doesn't modify outgoing
messages before they're sent. For example, some outbound gateways add a
footer to the bottom of every outgoing message. This can cause DKIM to fail
because message contents are changed after the message was sent.
Recommended steps for email recipients:- Use Email Log Search to verify the message was forwarded. If the person who
reported the message as spam isn’t the original recipient, it’s likely the
message was forwarded.
- Contact the service that forwarded the message to find out if they can
change the way they forward messages.
Contact admins for servers rejecting
DKIM-signed messages
If DKIM is set up correctly, receiving servers may still reject messages
sent from your domain, or send messages to recipients’ spam folder.
Recommended steps:- Contact the administrator for the rejecting email server.
- Set up DMARC so you get reports about DKIM authentication results. Go to
Help prevent spoofing and spam with DMARC.
Verify your domain providers TXT record
character limits
If you get an error when you enter DKIM value, your domain provider might
limit the number of characters allowed in the DNS TXT record.
Recommended step:- Follow the instructions in DKIM keys and TXT record limits.
Review your email sending practices
If DKIM is set up correctly but messages are sent to spam, the cause might
be something other than DKIM.
Recommended step:- Make sure you're following the recommended guidelines for sending email
to Gmail users, especially if you send large amounts of email.