Summary
Even with seemingly correct DNS records, Google Postmaster Tools (GPT) can display DKIM/DMARC authentication failures due to a multitude of factors. These include Google's analysis of received emails beyond just DNS records, potential spoofing or signature failures, limitations in SPF records from platforms like Hubspot, issues in DMARC policy enforcement due to alignment failures, incorrect DKIM key rotations, problems arising from email forwarding or subdomain delegation, differences in regional DNS resolutions, exceeding SPF lookup limits, having multiple SPF records, impacts from shared hosting environments, the necessity to test configurations, the impact of organizational domain compliancy being set to organizational when it should be set to subdomain, incorrect domain record set ups, DMARC key sizes being below 1024 bits and DNS propogation delays. This emphasizes the need for detailed investigations beyond basic DNS record checks.
Key findings
- Beyond DNS Records: Google assesses email content and not solely DNS records for authentication.
- Potential Spoofing: Authentication failures might stem from spoofing attempts.
- Hubspot SPF Records: SPF configurations may be different in your own domain and on a platform such as Hubspot.
- DMARC Alignment: DMARC policies cause failures if alignment falters, regardless of passing SPF/DKIM
- Key Rotation Problems: Improper management of DKIM keys during rotation lead to failures.
- Email Forwarding: Forwarding leads to SPF alignment and failure.
- Domain Compliance Setting: Ensure your domain compliance is set correctly between organisational and subdomain.
- Subdomain Settings: Configuration errors with DKIM and DMARC will cause failures.
- Regional Issues: Varying DNS resolution between different areas will cause failures.
- SPF Configuration: Exceeding the SPF lookup limitations are common issues.
- Multiple SPF: Using multiple SPF invalidates authentication.
- Incorrect Record syntax: Record syntax will cause failure.
- Shared Hosting: Third party domains can affect your domain's reputation.
- DNS Propagation Delay: Allow time for DNS to fully propagate.
- Testing is Needed: Authentication may only fail in a test environment.
- DKIM keysize: Standard DKIM keysize needs to be at least 1024
Key considerations
- Review Email Streams: Consider third-party integrations when analysing results
- DMARC key size standard: Make sure to adhere to standard minimums
- Investigate Signatures: Delve into the potential causes of failing signatures.
- Domain Set-up: Is your DNS set-up correct, and has it fully propagated.
- Address Forwarding: Don't be using a forwarding address.
- Limit Lookups: Is your SPF limited to DNS lookups to reduce errors.
- Use Testing Tools: Is your email test server setup correctly, use third party testing services to check.
- Consolidate SPF Records: Using a singular SPF should improve your authentication
- Domain Compliancy settings: Make sure to set correctly based on which part of the domain you are setting it to.
What email marketers say
9 marketer opinions
GPT might report DKIM/DMARC authentication failures despite seemingly correct DNS records due to various reasons. These include: propagation delays after DNS changes, typos in DNS records, DMARC policy enforcement issues, incorrect DKIM key rotation, email forwarding problems, incorrect subdomain delegation, regional DNS differences, exceeding SPF lookup limits, multiple SPF records, shared hosting issues impacting reputation, and the necessity for third-party testing to confirm configurations.
Key opinions
- DNS Propagation: DNS changes can take time to propagate, causing temporary authentication failures.
- Record Errors: Even minor typos in DKIM/DMARC records can lead to failures.
- DMARC Enforcement: DMARC policy enforcement can cause failures if alignment isn't correct, even if SPF/DKIM pass.
- Key Rotation: Improper DKIM key rotation can result in authentication issues.
- Forwarding Issues: Email forwarding can cause SPF failures due to misalignment.
- Subdomain Issues: Incorrectly configured DKIM/DMARC for subdomains can cause failures.
- Regional DNS Differences: DNS records may resolve differently in different regions, causing intermittent failures.
- SPF Lookup Limits: Exceeding SPF lookup limits can lead to errors.
- Multiple SPF Records: Having multiple SPF records invalidates authentication.
- Shared Hosting: Shared hosting environments can impact reputation, causing failures.
- Testing Needed: DNS records may appear correct but still fail in certain environments, requiring testing.
- Unauthorized Use: GPT reports on both authorized and unauthorized use of the domain. Check IP addresses.
Key considerations
- Verify DNS Records: Double-check DKIM, DMARC, and SPF records for typos and correct syntax.
- Check DNS Propagation: Allow sufficient time for DNS changes to propagate fully.
- Monitor DMARC Reports: Regularly monitor DMARC reports to identify and address authentication issues.
- Test Configurations: Use third-party tools to test email authentication configurations.
- Review Subdomain Settings: Ensure DKIM and DMARC records are correctly configured for subdomains.
- Limit SPF Lookups: Optimize SPF records to stay within DNS lookup limits.
- Maintain Single SPF Record: Consolidate all authorized sending sources into a single SPF record.
- Monitor Reputation: Be aware of reputation issues if using shared hosting.
- Investigate Unauthorized Use: Check IP address screen in GPT to identify unfamiliar IP addresses.
Marketer view
Marketer from Email Geeks suggests that GPT reports on both authorized and unauthorized use of a domain and recommends checking the IP address screen in GPT to identify unfamiliar IPs.
4 Apr 2024 - Email Geeks
Marketer view
Email marketer from Reddit shares that when emails are forwarded, the SPF record of the original sender might not match the forwarding server, causing SPF to fail. While DKIM could still pass if set up correctly, DMARC may fail due to SPF misalignment.
29 Apr 2025 - Reddit
What the experts say
5 expert opinions
Even with correct DNS records, Google Postmaster Tools (GPT) can show DKIM/DMARC authentication failures due to several factors. These include the fact that Google evaluates emails received and not just DNS records, potential issues of signature failures, spoofing, or reliance on SPF results which may not reflect the entire email stream if using third party platforms like Hubspot. Failures can also stem from discrepancies between organizational domain configurations and subdomain records, and needing to use third-party tools to correctly setup a DMARC record.
Key opinions
- Google Evaluation: Google examines received emails, not just DNS records, for authentication.
- Signature Failures: DKIM failures suggest signature failures.
- SPF Limitations: SPF success rates from platforms like Hubspot may not reflect all email streams.
- Subdomain Discrepancies: DMARC failures can occur due to differences between organizational domains and subdomain records.
- Misconfigurations: Check for incorrect record syntax, propagation delays, and alignment issues.
- Spoofing: Spoofing events can trigger a DMARC failure.
Key considerations
- Investigate Signature Failures: If DKIM is failing, investigate potential signature failures.
- Organizational Domain Check: When analyzing a subdomain, make sure to also analyze the organizational domain.
- DMARC Reporting: Use a third party DMARC reporting tool.
- Review Third-party Integrations: Be aware that third party systems like Hubspot may not always correctly convey the correct SPF result.
- Record Analysis: Check record syntax, propagation delays, and alignment issues.
Expert view
Expert from Email Geeks explains that Google looks at the email it's receiving, not just the DNS records. Even if DNS records are fine, authentication can still be broken, and suggests that something may have broken or spoofing may be occurring.
26 May 2022 - Email Geeks
Expert view
Expert from Spamresource.com suggests that there are several reasons for failure, but to check common misconfigurations such as incorrect record syntax, propagation delays after updates, and alignment issues where the domain in the 'From' address doesn't match the domain used for DKIM signing or SPF authorization. They recommend using third party tools to confirm configurations work.
2 May 2023 - Spamresource.com
What the documentation says
5 technical articles
Even when DNS records appear correct, Google Postmaster Tools (GPT) may show DKIM/DMARC authentication failures for several technical reasons. These include DMARC policy enforcement when alignment fails despite passing SPF/DKIM, issues related to DKIM key rotation, incomplete SPF records that do not include IPv6 addresses, exceeding SPF lookup limits, or using a DKIM key size below 1024 bits.
Key findings
- DMARC Policy Enforcement: DMARC policies (quarantine/reject) are enforced even if SPF/DKIM pass, if alignment fails.
- DKIM Key Rotation: Incorrect DKIM key rotation leads to authentication failures.
- Incomplete SPF Records: SPF records missing IPv6 addresses cause failures for IPv6 mail streams.
- SPF Lookup Limits: Exceeding SPF lookup limits results in 'permerror' or 'temperror'.
- DKIM Key Size: DKIM key size below 1024 bits causes failures
Key considerations
- Check DMARC Alignment: Ensure proper alignment between the 'From' address and DKIM/SPF domains.
- Manage Key Rotation Carefully: During DKIM key rotation, keep both old and new keys valid.
- Update SPF Records: Include IPv6 addresses in SPF records if sending from IPv6 addresses.
- Optimize SPF Lookups: Reduce the number of DNS lookups in SPF records.
- Use DKIM Standard Keysize: Use a DKIM keysize larger than 1024 bits.
Technical article
Documentation from Microsoft explains that SPF records need to include IPv6 addresses if you are sending mail from IPv6 addresses. An incomplete SPF record that only lists IPv4 addresses will cause SPF to fail for IPv6 mail streams.
7 Jul 2023 - Microsoft Documentation
Technical article
Documentation from DMARC.org explains that if your DMARC policy is set to 'p=quarantine' or 'p=reject', email receivers will enforce the policy even if SPF and DKIM pass, but alignment fails. Alignment refers to the domain used in the 'From' address matching the DKIM signing domain or SPF authorized domain.
30 Dec 2023 - DMARC.org
How do I troubleshoot and fix SPF and DMARC settings for email deliverability issues?
How to diagnose DMARC failures using DMARC reports?
How to deal with a failing DMARC email authentication protocol?
How do I properly set up DMARC records and reporting for email authentication?
How can I troubleshoot DMARC failures and identify the cause of authentication issues?
How do I troubleshoot DMARC failures and potential DKIM replay attacks affecting email deliverability?
