What could cause Gmail SPF/DKIM issues and how to check authentication results in email headers?
Michael Ko
Co-founder & CEO, Suped
Published 27 Apr 2025
Updated 15 Aug 2025
8 min read
Email authentication, specifically Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), are critical for ensuring your emails reach their intended recipients, especially with mailbox providers like Gmail. When these authentication methods fail, your emails can land in the spam folder, or even be rejected outright. I've seen countless instances where businesses struggle with deliverability simply because their SPF or DKIM records aren't set up correctly or are misaligned.
A common scenario involves seeing a sudden drop in inbox placement rates, only to discover authentication failures in Google Postmaster Tools or bounce messages. Understanding the root causes of these issues and knowing how to quickly diagnose them by inspecting email headers is essential for maintaining strong email deliverability.
SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It helps receiving mail servers verify that an email claiming to be from your domain actually originates from an allowed IP address. If an email is sent from an unauthorized server, it can fail SPF authentication, leading to delivery problems or even getting added to a blocklist (blacklist).
DKIM (DomainKeys Identified Mail) provides a way to verify the authenticity of an email message and ensures it hasn't been tampered with in transit. This is achieved by attaching a digital signature to the email header. The receiving server then uses a public key, published in your domain's DNS records, to decrypt and verify this signature. A mismatch means the message was altered or signed incorrectly, resulting in a DKIM failure.
Both SPF and DKIM are fundamental to email security and are prerequisites for implementing DMARC (Domain-based Message Authentication, Reporting & Conformance). Google and Yahoo's new email sender requirements underscore their importance, as unauthenticated emails are heavily penalized. Ensuring these are correctly configured is the first step towards better inbox placement.
Example SPF record
Basic SPF record for Google Workspace and SendGridDNS
This example allows mail from _spf.google.com and sendgrid.net. The ~all indicates a softfail for other servers.
Common causes of SPF and DKIM authentication issues
Several factors can lead to SPF and DKIM authentication issues with Gmail (and other mailbox providers). One of the most common causes is DNS misconfigurations. This includes typos in your SPF record, exceeding the 10-lookup limit in SPF, or incorrect DKIM public keys published in DNS. If your DNS records are not publicly accessible or frequently go down, it can cause intermittent authentication failures.
Another frequent culprit is email forwarding. When an email is forwarded, the forwarding server often changes the 'Return-Path' (Mail From) address. This breaks SPF, as the original sender's SPF record no longer authorizes the forwarding server's IP. While DKIM is generally more resilient to forwarding, some forwarding services might modify the email body or headers, which can invalidate the DKIM signature. This is a common reason why legitimate emails might fail authentication, especially for those being relayed through various systems. You can learn more about how email forwarding can break DMARC and its underlying authentication protocols.
Beyond DNS and forwarding, changes to your sending infrastructure can cause issues. If you start using a new email service provider (ESP) or a new IP address for sending, and fail to update your SPF record to include these new sending sources, SPF will fail. Similarly, if your ESP rotates DKIM keys or changes how they sign emails, your existing DKIM setup might become invalid. This also ties into DMARC alignment, where the domain used for SPF or DKIM authentication must align with the 'From' header domain for DMARC to pass.
SPF challenges
IP Address Changes: New sending IPs or ESPs not added to SPF record.
DNS Lookup Limit: Exceeding the 10 DNS lookup limit, causing SPF TempError.
Email Forwarding: Changes to the Return-Path on forwarded emails often cause SPF to fail. This is a common issue for emails forwarded to Gmail.
DKIM challenges
DNS Key Errors: Incorrectly published or missing DKIM public keys in DNS. Look for troubleshooting DKIM issues in Google Workspace.
Message Alteration: Email content or headers modified after signing, such as by a mailing list or CRM, invalidating the signature.
Selector Misuse: Using the wrong DKIM selector, or an outdated key pair.
Checking authentication results in email headers
The fastest way to diagnose SPF and DKIM problems is by examining the email headers of a message sent from your domain. If an email has gone to spam, or if you suspect authentication issues, checking the headers will provide crucial diagnostic information. Here's how to access them in Gmail and what to look for:
Open the email in Gmail.
Click the three-dot menu (More) next to the reply button.
Select Show original.
This will open a new tab showing the full raw email headers. The section you want to focus on is Authentication-Results. Here's an example of what you might see:
Example Gmail Authentication-Results Headertext
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com header.s=s1;
spf=pass (google.com: domain of your_email@yourdomain.com designates 192.0.2.1 as permitted sender) smtp.mailfrom=your_email@yourdomain.com;
dmarc=pass (p=quarantine dis=none) header.from=yourdomain.com
In this example, both DKIM and SPF show pass, indicating successful authentication. If you see fail, softfail, or temperror, that's your starting point for troubleshooting. Google's support documentation provides further details on interpreting these results.
Troubleshooting and remediation for authentication failures
If you identify an SPF or DKIM failure, the next step is to pinpoint the exact cause and implement a fix. For SPF failures, verify your SPF record's syntax and ensure all legitimate sending IP addresses and included domains are listed. Be mindful of the 10-lookup limit. If SPF is failing due to forwarding, consider implementing Authenticated Received Chain (ARC) if you operate mailing lists or forwarding services, as ARC can preserve authentication results across hops.
For DKIM failures, check that your public DKIM key is correctly published as a TXT record in your DNS and that the private key on your sending server matches. Ensure no intermediaries are altering your email content after it's been signed. This often requires working closely with your ESP or IT team to confirm the DKIM signing process is intact. You can review our guide on troubleshooting Office 365 DKIM and SPF email authentication failures for more detailed steps applicable to various setups.
Lastly, implementing DMARC is crucial for gaining visibility into your authentication results and taking action on unauthenticated mail. A DMARC record specifies how receiving servers should handle emails that fail SPF or DKIM, and it provides aggregate and forensic reports that detail authentication failures. These reports are invaluable for identifying legitimate sending sources that might not be properly authenticated and for detecting potential spoofing attempts on your domain. Setting up a DMARC policy of p=none allows you to monitor without impacting delivery, before moving to more restrictive policies like quarantine or reject.
Sometimes issues arise unexpectedly, even when everything seems configured correctly. This could be due to external factors like DNS provider outages or temporary glitches at mailbox providers. Regularly reviewing your email authentication setup and monitoring your deliverability metrics is key to catching and resolving these issues promptly.
Maintaining strong SPF and DKIM authentication isn't a one-time setup, it's an ongoing commitment. It requires vigilance, especially when making changes to your email sending infrastructure or if you notice any unexpected drops in your inbox placement. By understanding the common causes of failure and knowing how to interpret email headers, you can significantly improve your email deliverability and avoid being caught on a blacklist (or blocklist).
Best practices
Regularly check your SPF and DKIM DNS records for accuracy and compliance.
Use DMARC reports to identify authentication failures and unauthorized sending sources.
Monitor your email deliverability dashboard for any sudden drops in inbox placement, especially for Gmail.
Test email authentication after any changes to your sending infrastructure.
Common pitfalls
Forgetting to update SPF records when switching ESPs or adding new sending IPs.
Exceeding the 10 DNS lookup limit in SPF, causing failures.
Not configuring DKIM correctly, leading to signature invalidation or 'body hash mismatch' errors.
Ignoring DMARC reports, missing critical insights into authentication issues.
Expert tips
Implement ARC for mailing lists or forwarding services to preserve authentication results.
Use a DMARC policy of 'p=none' initially to gather data before enforcing stricter policies.
Automate monitoring of DNS records to detect unexpected changes that could impact SPF/DKIM.
Educate your team on email authentication best practices to prevent accidental misconfigurations.
Marketer view
Marketer from Email Geeks says they experienced major issues with Gmail, reporting 0% for SPF/DKIM, which correlated with an abysmal open rate. They suspected a Cloudflare outage or an issue on Google's end.
2020-07-27 - Email Geeks
Expert view
Expert from Email Geeks says that inspecting email headers is crucial for diagnosing issues, as Google stamps a lot of diagnostics in them. They recommended looking for the 'Authentication-Results' section.
2020-07-27 - Email Geeks
Maintaining strong email authentication for lasting deliverability
Ensuring proper SPF and DKIM authentication is no longer optional for email deliverability. With major mailbox providers like Gmail and Yahoo enforcing stricter authentication policies, misconfigurations can directly lead to emails being blocked or sent to spam. Regular monitoring and proactive troubleshooting, especially by inspecting email headers, are vital to maintaining a healthy sending reputation and ensuring your messages reach the inbox.
By understanding the nuances of SPF and DKIM failures, from DNS issues to email forwarding challenges, and by utilizing DMARC reporting, you can swiftly diagnose and rectify problems. This commitment to robust email authentication will not only improve your deliverability but also protect your brand from spoofing and phishing attempts, keeping your domain off a blocklist (or blacklist) and your email program thriving.
Gmail. When these authentication methods fail, your emails can land in the spam folder, or even be rejected outright. I've seen countless instances where businesses struggle with deliverability simply because their SPF or DKIM records aren't set up correctly or are misaligned.
Google and Yahoo's new email sender requirements underscore their importance, as unauthenticated emails are heavily penalized. Ensuring these are correctly configured is the first step towards better inbox placement.
Google Workspace.
Office 365 DKIM and SPF email authentication failures for more detailed steps applicable to various setups.
Yahoo enforcing stricter authentication policies, misconfigurations can directly lead to emails being blocked or sent to spam. Regular monitoring and proactive troubleshooting, especially by inspecting email headers, are vital to maintaining a healthy sending reputation and ensuring your messages reach the inbox.
