Suped

Why is GPT showing DKIM/DMARC authentication failures despite correct DNS records?

9Marketer opinions5Expert opinions5Technical articles2Resources

Summary

Even with seemingly correct DNS records, Google Postmaster Tools (GPT) can display DKIM/DMARC authentication failures due to a multitude of factors. These include Google's analysis of received emails beyond just DNS records, potential spoofing or signature failures, limitations in SPF records from platforms like Hubspot, issues in DMARC policy enforcement due to alignment failures, incorrect DKIM key rotations, problems arising from email forwarding or subdomain delegation, differences in regional DNS resolutions, exceeding SPF lookup limits, having multiple SPF records, impacts from shared hosting environments, the necessity to test configurations, the impact of organizational domain compliancy being set to organizational when it should be set to subdomain, incorrect domain record set ups, DMARC key sizes being below 1024 bits and DNS propogation delays. This emphasizes the need for detailed investigations beyond basic DNS record checks.

Key findings

  • Beyond DNS Records: Google assesses email content and not solely DNS records for authentication.
  • Potential Spoofing: Authentication failures might stem from spoofing attempts.
  • Hubspot SPF Records: SPF configurations may be different in your own domain and on a platform such as Hubspot.
  • DMARC Alignment: DMARC policies cause failures if alignment falters, regardless of passing SPF/DKIM
  • Key Rotation Problems: Improper management of DKIM keys during rotation lead to failures.
  • Email Forwarding: Forwarding leads to SPF alignment and failure.
  • Domain Compliance Setting: Ensure your domain compliance is set correctly between organisational and subdomain.
  • Subdomain Settings: Configuration errors with DKIM and DMARC will cause failures.
  • Regional Issues: Varying DNS resolution between different areas will cause failures.
  • SPF Configuration: Exceeding the SPF lookup limitations are common issues.
  • Multiple SPF: Using multiple SPF invalidates authentication.
  • Incorrect Record syntax: Record syntax will cause failure.
  • Shared Hosting: Third party domains can affect your domain's reputation.
  • DNS Propagation Delay: Allow time for DNS to fully propagate.
  • Testing is Needed: Authentication may only fail in a test environment.
  • DKIM keysize: Standard DKIM keysize needs to be at least 1024

Key considerations

  • Review Email Streams: Consider third-party integrations when analysing results
  • DMARC key size standard: Make sure to adhere to standard minimums
  • Investigate Signatures: Delve into the potential causes of failing signatures.
  • Domain Set-up: Is your DNS set-up correct, and has it fully propagated.
  • Address Forwarding: Don't be using a forwarding address.
  • Limit Lookups: Is your SPF limited to DNS lookups to reduce errors.
  • Use Testing Tools: Is your email test server setup correctly, use third party testing services to check.
  • Consolidate SPF Records: Using a singular SPF should improve your authentication
  • Domain Compliancy settings: Make sure to set correctly based on which part of the domain you are setting it to.

What email marketers say
9Marketer opinions

GPT might report DKIM/DMARC authentication failures despite seemingly correct DNS records due to various reasons. These include: propagation delays after DNS changes, typos in DNS records, DMARC policy enforcement issues, incorrect DKIM key rotation, email forwarding problems, incorrect subdomain delegation, regional DNS differences, exceeding SPF lookup limits, multiple SPF records, shared hosting issues impacting reputation, and the necessity for third-party testing to confirm configurations.

Key opinions

  • DNS Propagation: DNS changes can take time to propagate, causing temporary authentication failures.
  • Record Errors: Even minor typos in DKIM/DMARC records can lead to failures.
  • DMARC Enforcement: DMARC policy enforcement can cause failures if alignment isn't correct, even if SPF/DKIM pass.
  • Key Rotation: Improper DKIM key rotation can result in authentication issues.
  • Forwarding Issues: Email forwarding can cause SPF failures due to misalignment.
  • Subdomain Issues: Incorrectly configured DKIM/DMARC for subdomains can cause failures.
  • Regional DNS Differences: DNS records may resolve differently in different regions, causing intermittent failures.
  • SPF Lookup Limits: Exceeding SPF lookup limits can lead to errors.
  • Multiple SPF Records: Having multiple SPF records invalidates authentication.
  • Shared Hosting: Shared hosting environments can impact reputation, causing failures.
  • Testing Needed: DNS records may appear correct but still fail in certain environments, requiring testing.
  • Unauthorized Use: GPT reports on both authorized and unauthorized use of the domain. Check IP addresses.

Key considerations

  • Verify DNS Records: Double-check DKIM, DMARC, and SPF records for typos and correct syntax.
  • Check DNS Propagation: Allow sufficient time for DNS changes to propagate fully.
  • Monitor DMARC Reports: Regularly monitor DMARC reports to identify and address authentication issues.
  • Test Configurations: Use third-party tools to test email authentication configurations.
  • Review Subdomain Settings: Ensure DKIM and DMARC records are correctly configured for subdomains.
  • Limit SPF Lookups: Optimize SPF records to stay within DNS lookup limits.
  • Maintain Single SPF Record: Consolidate all authorized sending sources into a single SPF record.
  • Monitor Reputation: Be aware of reputation issues if using shared hosting.
  • Investigate Unauthorized Use: Check IP address screen in GPT to identify unfamiliar IP addresses.
Marketer view

Marketer from Email Geeks suggests that GPT reports on both authorized and unauthorized use of a domain and recommends checking the IP address screen in GPT to identify unfamiliar IPs.

February 2025 - Email Geeks
Marketer view

Email marketer from Reddit shares that when emails are forwarded, the SPF record of the original sender might not match the forwarding server, causing SPF to fail. While DKIM could still pass if set up correctly, DMARC may fail due to SPF misalignment.

June 2021 - Reddit
Marketer view

Email marketer from AuthSMTP answers that on shared hosting, other users may be sending spam which will effect your domain reputation causing failure.

January 2022 - AuthSMTP
Marketer view

Email marketer from Mailjet explains that even if you've correctly configured your DNS records, it can take some time for these changes to propagate across the internet. During this propagation period, some servers might still be using outdated information, leading to authentication failures. It is also important to verify the records with a DNS lookup tool.

July 2022 - Mailjet
Marketer view

Email marketer from Email on Acid Support shares that in rare cases, DNS records might resolve differently in different geographic regions. This means that your records might be correct in one region but not in another, causing intermittent authentication failures. Using a global DNS checker can help identify these issues.

November 2022 - Email on Acid
Marketer view

Email marketer from SparkPost explains that even a minor typo in your DKIM or DMARC records can cause authentication failures. Double-check your records for any errors, such as incorrect syntax, missing semicolons, or extra spaces.

January 2025 - SparkPost
Marketer view

Email marketer from MXToolbox answers that having multiple SPF records can invalidate your authentication. You should have a single SPF record that includes all authorized sending sources.

October 2022 - MXToolbox
Marketer view

Email marketer from GlockApps that DNS records can be set up correctly but not work in a test environment, testing your DNS configuration records with a 3rd party testing tool is advisable.

June 2024 - GlockApps
Marketer view

Email marketer from StackOverflow responds that if you are sending email from a subdomain, ensure that the DKIM and DMARC records are set up correctly for the subdomain and not just the main domain. Subdomain delegation can sometimes cause authentication issues if not properly configured.

November 2024 - StackOverflow

What the experts say
5Expert opinions

Even with correct DNS records, Google Postmaster Tools (GPT) can show DKIM/DMARC authentication failures due to several factors. These include the fact that Google evaluates emails received and not just DNS records, potential issues of signature failures, spoofing, or reliance on SPF results which may not reflect the entire email stream if using third party platforms like Hubspot. Failures can also stem from discrepancies between organizational domain configurations and subdomain records, and needing to use third-party tools to correctly setup a DMARC record.

Key opinions

  • Google Evaluation: Google examines received emails, not just DNS records, for authentication.
  • Signature Failures: DKIM failures suggest signature failures.
  • SPF Limitations: SPF success rates from platforms like Hubspot may not reflect all email streams.
  • Subdomain Discrepancies: DMARC failures can occur due to differences between organizational domains and subdomain records.
  • Misconfigurations: Check for incorrect record syntax, propagation delays, and alignment issues.
  • Spoofing: Spoofing events can trigger a DMARC failure.

Key considerations

  • Investigate Signature Failures: If DKIM is failing, investigate potential signature failures.
  • Organizational Domain Check: When analyzing a subdomain, make sure to also analyze the organizational domain.
  • DMARC Reporting: Use a third party DMARC reporting tool.
  • Review Third-party Integrations: Be aware that third party systems like Hubspot may not always correctly convey the correct SPF result.
  • Record Analysis: Check record syntax, propagation delays, and alignment issues.
Expert view

Expert from Email Geeks explains that Google looks at the email it's receiving, not just the DNS records. Even if DNS records are fine, authentication can still be broken, and suggests that something may have broken or spoofing may be occurring.

April 2023 - Email Geeks
Expert view

Expert from Spamresource.com suggests that there are several reasons for failure, but to check common misconfigurations such as incorrect record syntax, propagation delays after updates, and alignment issues where the domain in the 'From' address doesn't match the domain used for DKIM signing or SPF authorization. They recommend using third party tools to confirm configurations work.

October 2021 - Spamresource.com
Expert view

Expert from Word to the Wise explains that DMARC failures can occur if there are changes to the organizational domain which are not reflected in the subdomain DNS records. It can also arise if compliancy dashboard in GPT is set to organisational domain when looking at a subdomain.

December 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares that DKIM failing indicates a signature failure and that SPF success rate from Hubspot won't reflect SPF for Hubspot mail, rather 1:1 mail for the domain.

June 2022 - Email Geeks
Expert view

Expert from Email Geeks suggests using a third-party DMARC reporting tool as DMARC reports are not human-readable and need to be processed by a system.

February 2022 - Email Geeks

What the documentation says
5Technical articles

Even when DNS records appear correct, Google Postmaster Tools (GPT) may show DKIM/DMARC authentication failures for several technical reasons. These include DMARC policy enforcement when alignment fails despite passing SPF/DKIM, issues related to DKIM key rotation, incomplete SPF records that do not include IPv6 addresses, exceeding SPF lookup limits, or using a DKIM key size below 1024 bits.

Key findings

  • DMARC Policy Enforcement: DMARC policies (quarantine/reject) are enforced even if SPF/DKIM pass, if alignment fails.
  • DKIM Key Rotation: Incorrect DKIM key rotation leads to authentication failures.
  • Incomplete SPF Records: SPF records missing IPv6 addresses cause failures for IPv6 mail streams.
  • SPF Lookup Limits: Exceeding SPF lookup limits results in 'permerror' or 'temperror'.
  • DKIM Key Size: DKIM key size below 1024 bits causes failures

Key considerations

  • Check DMARC Alignment: Ensure proper alignment between the 'From' address and DKIM/SPF domains.
  • Manage Key Rotation Carefully: During DKIM key rotation, keep both old and new keys valid.
  • Update SPF Records: Include IPv6 addresses in SPF records if sending from IPv6 addresses.
  • Optimize SPF Lookups: Reduce the number of DNS lookups in SPF records.
  • Use DKIM Standard Keysize: Use a DKIM keysize larger than 1024 bits.
Technical article

Documentation from Microsoft explains that SPF records need to include IPv6 addresses if you are sending mail from IPv6 addresses. An incomplete SPF record that only lists IPv4 addresses will cause SPF to fail for IPv6 mail streams.

April 2022 - Microsoft Documentation
Technical article

Documentation from DMARC.org explains that if your DMARC policy is set to 'p=quarantine' or 'p=reject', email receivers will enforce the policy even if SPF and DKIM pass, but alignment fails. Alignment refers to the domain used in the 'From' address matching the DKIM signing domain or SPF authorized domain.

August 2021 - DMARC.org
Technical article

Documentation from Google Workspace Admin Help explains that if you've recently rotated your DKIM keys, ensure that both the old and new keys are valid and published in your DNS records during the transition period. If the receiving server uses the old key while it's being phased out, authentication will fail.

September 2022 - Google Workspace Admin Help
Technical article

Email marketer from DKIM standard answers that DKIM standard may not be met if key size is below 1024 bits which can cause failure.

August 2023 - DKIM standard
Technical article

Documentation from RFC 7208 details that SPF specifications limit the number of DNS lookups that can be performed during SPF evaluation. If your SPF record requires too many lookups (e.g., through multiple 'include:' mechanisms), the SPF check may return a 'permerror' or 'temperror', leading to authentication failure.

November 2023 - RFC 7208

Related resources
2Resources

SPF Record in Route 53 and Google Workspace not aligned? | AWS ...
SPF Record in Route 53 and Google Workspace not aligned? | AWS ...

I use Google Workspace to host my email. I'm a novice when it comes to DNS records, but yesterday, I moved away from Cloudflare to AWS Route 53 because someone was making changes to my account via ...

Amazon Web Services, Inc.
Problems with Transactional Emails from MailGun in Outlook and ...
Problems with Transactional Emails from MailGun in Outlook and ...

Understanding Delivery Challenges for Transactional Emails

Medium

Related questions