Why would my DKIM fail in Gmail even if it worked before?

A DKIM signature might fail in Gmail if the DNS TXT record for DKIM is incorrectly published, contains typos, or is incomplete. It can also fail if the email content or headers are modified after the DKIM signature is applied, which often happens with email forwarding or certain mail relays. Ensure your DKIM selector and public key match exactly.

What is DMARC alignment, and how does it cause failures?

DMARC failure in Gmail most commonly occurs due to SPF or DKIM alignment issues. Even if SPF and DKIM technically pass, DMARC requires that the domain in the From header aligns with the domain authenticated by SPF or DKIM. If there's a mismatch, DMARC will fail. Using a p=none policy and monitoring DMARC reports can help identify the exact cause.

How can I quickly diagnose if my emails are failing DKIM or DMARC?

Start by checking your email headers in Gmail by selecting 'Show original' for the problematic email. Look for the 'Authentication-Results' section. If you see 'dkim=fail' or 'dmarc=fail', it indicates a problem. Then, verify your DNS records (SPF, DKIM, DMARC) for typos or misconfigurations. Utilize a deliverability tester to get a comprehensive report on your email's authentication status.

What are the immediate steps to fix DKIM and DMARC failures?

Fixing DKIM requires ensuring your DNS TXT record is correct and matches the key provided by your sending service. For DMARC, confirm SPF and DKIM are passing with proper alignment . If using a third-party sender, ensure they authenticate using your domain or a properly aligned subdomain. Transition your DMARC policy from p=none to p=quarantine or p=reject only after verifying all legitimate email streams are authenticating correctly.

What does the 'via' tag in Gmail mean for DKIM and DMARC?

The 'via' tag in Gmail indicates that the email was sent through an intermediary server that doesn't share alignment with the sender's From domain, or the sending domain itself is not strongly authenticated. While not always a direct failure, it can impact deliverability by signaling a weaker authentication chain, potentially leading to emails landing in spam or promotions tabs. It often means DMARC is passing, but DKIM is not aligning.

Why are my DKIM and DMARC failing in Gmail, and how can I fix it? - Troubleshooting - Email deliverability - Knowledge base

Dealing with emails failing DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) in Gmail can be a frustrating experience. It often means your legitimate emails are landing in spam folders or being rejected outright. This issue has become even more critical with Gmail and Yahoo's new sender requirements, which mandate stronger authentication for bulk senders.

When an email fails these checks, Gmail, like other mailbox providers, loses trust in the sender. This can significantly impact your email deliverability and overall sender reputation. You might observe a sudden increase in bounce rates or a drop in engagement metrics, all pointing back to authentication problems.

It's a common misconception that if your SPF (Sender Policy Framework) and DKIM records are merely present, your emails will automatically pass DMARC. In reality, alignment is key. A misconfiguration, even a small one, can cause your perfectly legitimate emails to be flagged as suspicious.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Why authentication matters to Gmail

Email authentication protocols like DKIM and DMARC are crucial for verifying that an email is legitimate and has not been tampered with in transit. Gmail extensively relies on these signals to protect its users from phishing, spam, and spoofing. DKIM adds a digital signature to your email headers, allowing receiving servers to verify the email's authenticity and integrity. DMARC, on the other hand, builds upon SPF and DKIM by providing a framework for domain owners to instruct mailbox providers on how to handle emails that fail authentication checks, and to receive reports on their email streams.

For Gmail specifically, authentication isn't just about passing the technical checks. It's also about alignment. DMARC requires that the domain in the From header (RFC5322.From) align with either the domain used for SPF (Return-Path) or the domain used for DKIM (d= domain in the DKIM signature). If this alignment fails, even if SPF or DKIM technically pass, DMARC will fail. This is a critical point that many senders overlook, leading to unexpected delivery issues.

Gmail's Postmaster Tools can sometimes show a DKIM failure in their compliance dashboard due to a lack of domain alignment, even if the raw DKIM signature technically passes cryptography. This distinction is vital for accurate troubleshooting.

Gmail's requirements

Gmail now requires a strong authentication posture for all senders, especially those sending more than 5,000 emails per day. This includes properly configured SPF, DKIM, and a DMARC policy that is enforced (p=quarantine or p=reject).

Common reasons for failures

Several factors can lead to DKIM and DMARC failures in Gmail. One of the most frequent is an incorrectly published DKIM record. This could be a simple typo, a missing part of the record, or not generating the key correctly from your sending service. If the DKIM signature in your email header doesn't match the public key in your DNS, it will fail.

Another common culprit is email forwarding. When an email is forwarded, the message content or headers can be modified, which can invalidate the original DKIM signature. This often leads to a DKIM failure at the recipient's end, even if the original message passed authentication. If you're forwarding emails to Gmail, this might be why you're seeing failures.

DMARC failing even when SPF and DKIM individually pass is almost always an alignment issue. Your SPF or DKIM domains must align with your From header domain. If you are using a third-party email service provider, make sure their sending domain is aligned. Misalignment is a primary cause for emails being sent to spam, particularly with Gmail.

Technical causes

Incorrect DNS records: Typos or omissions in your DKIM or SPF TXT records.
Duplicate SPF records: Having more than one SPF record can invalidate your SPF.
Key rotation: Some providers rotate DKIM keys, requiring DNS updates.
Message modification: Changes to the email content or headers after signing can break DKIM.

Alignment issues

SPF misalignment: The domain in the Return-Path (envelope sender) doesn't match the From header.
DKIM misalignment: The domain in the DKIM signature (d=tag) doesn't match the From header.
Third-party sending: Using email service providers without proper setup leading to misalignment.

How to diagnose a failure

The first step in fixing authentication issues is to understand exactly why they're failing. For Gmail, this means examining the email headers. When you open an email in Gmail, you can click the three dots next to the reply button and select Show original. This will reveal detailed authentication results, including SPF, DKIM, and DMARC status.

Pay close attention to the Authentication-Results header. It will typically indicate dkim=pass, spf=pass, and dmarc=pass, or it might show fail, softfail, or temperror. If you see a fail, investigate the specific mechanism (SPF or DKIM) that failed and also check for alignment. Google provides detailed guidance on troubleshooting DMARC issues.

Example of a failing email header in Gmailtext

Authentication-Results: mx.google.com;
       dkim=fail header.i=@yourdomain.com header.s=s1 header.b=AbCdEfGh;
       spf=pass (google.com: domain of user@yourdomain.com designates 192.0.2.1 as permitted sender) smtp.mailfrom=user@yourdomain.com;
       dmarc=fail (p=reject sp=none dis=none) header.from=yourdomain.com

For ongoing monitoring, DMARC reports (RUA and RUF) are invaluable. These XML reports provide an aggregate view of your email traffic, showing which emails are passing or failing authentication, and why. Analyzing these reports helps you pinpoint widespread issues and track your progress in achieving full DMARC compliance. You can use a DMARC monitoring service to make these reports human-readable and actionable.

Authentication check	Passing status	Failing status
DKIM	dkim=pass (signature valid, domain aligned)	dkim=fail (signature invalid or not present), dkim=neutral (domain not aligned)
SPF	spf=pass (sending IP authorized, domain aligned)	spf=fail (sending IP unauthorized), spf=softfail (suspect IP), spf=neutral (domain not aligned)
DMARC	dmarc=pass (SPF or DKIM passed with alignment)	dmarc=fail (both SPF and DKIM failed or lacked alignment)

Fixing common problems

To resolve DKIM and DMARC failures, you need to systematically check and correct your DNS records and sending practices. First, ensure your DKIM record is correctly published in your DNS. This involves verifying the selector name and the public key provided by your email service. Even a single character error can cause a DKIM failure. If you recently changed email service providers, you'll need to update your DKIM records to reflect the new keys.

Next, review your SPF record. Make sure all legitimate sending sources for your domain are included and that you don't have multiple SPF records, which is a common mistake. If you're using Google Workspace, ensure its SPF record is properly integrated. Once SPF and DKIM are set up, focus on DMARC alignment. This means ensuring the From domain matches the SPF domain (Return-Path) or the DKIM signing domain. If you are using a third-party sender, ensure they are signing emails with your domain or a subdomain that aligns.

If your DMARC policy is currently set to p=reject or p=quarantine, consider temporarily changing it to p=none (monitor mode) while you troubleshoot. This will prevent legitimate emails from being blocked, though they might still land in spam. Once issues are resolved, gradually move back to an enforced policy. Regularly checking your Google Postmaster Tools dashboard will also provide insights into your domain's health with Gmail.

Caution when changing DMARC policy

Changing your DMARC policy from an enforced state (p=quarantine or p=reject) to p=none should be a temporary measure only. While it helps in troubleshooting by preventing rejections, it also removes the protection against email spoofing. Ensure you have a plan to return to an enforced policy once all issues are resolved to maintain your domain's security and reputation.

Views from the trenches

Best practices

Always maintain precise and current DNS records for SPF, DKIM, and DMARC. Regularly audit them.

Utilize DMARC reporting to gain insights into email authentication outcomes and identify potential issues.

For third-party sending services, configure custom DKIM signing to ensure alignment with your domain.

Keep an eye on Gmail's Postmaster Tools for reputation data and specific authentication feedback.

Adopt a proactive approach to monitoring email deliverability to catch issues early.

Common pitfalls

Ignoring DMARC alignment, even if SPF or DKIM individually pass authentication.

Assuming that SPF and DKIM are correctly configured without verifying actual email headers.

Failing to update DKIM records when changing email service providers or keys are rotated.

Using a strict DMARC policy (p=reject) before thoroughly verifying all legitimate email streams.

Not monitoring DMARC reports, thus missing critical authentication failures for your domain.

Expert tips

Implement a DMARC record with a 'p=none' policy initially to collect reports without impacting delivery.

Check for any hidden characters or formatting issues when copying DKIM or SPF records from providers.

If using Google Workspace's 'send mail as' feature, ensure that the primary domain authentication is strong.

Be aware that email forwarding can break DKIM signatures, which may impact DMARC validation.

Consider a dedicated IP address for high-volume sending to maintain better control over your sender reputation.

Marketer view

Marketer from Email Geeks says they started noticing failed DKIM and DMARC in Gmail headers for some newsletters and marketing emails they subscribed to in early December, and those emails were landing in spam.

2025-01-06 - Email Geeks

Expert view

Expert from Email Geeks says that if DKIM and DMARC are failing, something likely happened on the sending side rather than Gmail changing its validation process. They suggested using an email testing tool.

2025-01-06 - Email Geeks

Ensuring long-term deliverability

Achieving consistent email deliverability, especially to major inbox providers like

Gmail, requires a proactive approach to email authentication. DKIM and DMARC are not just technical checkboxes; they are fundamental to building and maintaining a trustworthy sender reputation. Consistent failures indicate underlying issues that need immediate attention.

By diligently monitoring your DMARC reports, regularly reviewing your SPF and DKIM DNS records, and ensuring proper alignment, you can significantly reduce the instances of your emails failing authentication checks. This commitment to robust email security protocols will not only improve your inbox placement but also protect your domain from malicious spoofing and phishing attempts, reinforcing trust with your recipients.

Remember, email authentication standards are continually evolving, with providers like

Yahoo and

Microsoft also tightening their requirements. Staying informed and agile in managing your email authentication will be key to long-term deliverability success.