Troubleshooting dips in DKIM success rate in Google Postmaster Tools

Key findings

• Unsigned emails: A primary cause for DKIM dips is mail being sent from your domain that isn't properly DKIM signed, or has broken DKIM signatures. This can include transactional emails from CRM systems or automated reports.
• Mail flow visibility: Understanding all sources sending email on behalf of your domain is crucial. If a sender is not configured for DKIM, it will negatively impact your success rate.
• DMARC reports: DMARC aggregate reports provide granular detail on authentication failures, including DKIM, and can pinpoint the specific sending sources causing the dips.
• DNS issues: Temporary DNS timeouts or misconfigurations on your side can prevent email servers from looking up your DKIM record, leading to authentication failures.
• Internal traffic: Sometimes, internal emails sent between colleagues on the same domain may not be DKIM signed, which can contribute to a lower success rate in Postmaster Tools if Google processes them.

Key considerations

• Comprehensive signing: It is generally recommended to DKIM sign all legitimate email traffic originating from your domain, regardless of its purpose or sender.
• DMARC implementation: Set up DMARC reporting to gain detailed insights into your email authentication status. This will help you identify sources sending email on behalf of your domain and whether they pass SPF or DKIM alignment. You can find more information in our guide to understanding and troubleshooting DMARC reports.
• Multiple DKIM keys: Consider using separate DKIM keys (selectors) for different types of mail streams, such as CRM emails versus corporate emails. This helps with traffic separation and easier troubleshooting.
• Postmaster Tools accuracy: While valuable, Postmaster Tools data may not always be perfectly real-time or complete. It's best to combine its insights with DMARC reports and internal log analysis. Learn more about common issues with Google Postmaster Tools data.

Key opinions

• Unexpected senders: Dips often occur when an unrecognized or misconfigured system, like a CRM or internal tool, starts sending email using the domain without proper DKIM signing.
• From: domain typos: Even a slight typo in the From: domain can lead to authentication failures.
• DMARC as a diagnostic tool: Marketers frequently recommend using DMARC reports to identify specific email sources that are failing DKIM authentication.
• Reviewing mail flow: It's important to cross-reference Postmaster Tools data with your sending logs to see what specific emails were sent during periods of DKIM dips.

Key considerations

• Audit all sending systems: Regularly audit all platforms and services that send email on behalf of your domain, including CRMs, marketing automation platforms, and internal servers, to ensure proper DKIM configuration.
• Transactional email signing: Even transactional emails (like purchase confirmations) should be DKIM signed to maintain a high success rate and improve deliverability. Check out our guidance on why your emails fail.
• Leverage DMARC reporting tools: If you don't have one, implement a DMARC reporting tool. Many free options are available to help parse and analyze aggregate reports, offering actionable insights. Our list of DMARC tags and their meanings can further assist.
• Consistency is key: Aim for a consistently high DKIM success rate (ideally 100%) to maintain a strong sender reputation with Google. The authentication success rate is a critical metric.

Key opinions

• Unsigned mail streams: Experts commonly attribute dips to specific mail streams (e.g., internal systems, niche applications) that are not correctly configured to sign emails with DKIM.
• Broken DKIM signing: Beyond simply not signing, some systems may attempt to sign but do so incorrectly, resulting in broken or invalid DKIM signatures.
• DNS timeout issues: DNS lookup failures or timeouts on the sender's side can prevent recipient servers (like Gmail's) from verifying the DKIM signature, leading to authentication failures.
• MTA configuration: The Mail Transfer Agent (MTA) needs to be correctly configured to apply the DKIM signature to outgoing mail. Misconfigurations here are a frequent cause of issues.
• Mail flow complexity: With diverse email sending paths (e.g., corporate mail, CRM, marketing ESPs), ensuring all traffic is properly DKIM signed and aligned can be complex.

Key considerations

• Universal DKIM signing: Best practice dictates that all outgoing email should be DKIM signed. If certain email types, like internal CRM messages, are not signed, it's a gap that needs addressing.
• DMARC report analysis: Use DMARC aggregate reports as your primary tool for deep-diving into authentication issues, as they provide detailed XML data that Postmaster Tools abstracts. This can help identify DKIM temperror instances.
• Separate DKIM selectors: Implementing different DKIM selectors for different email streams (e.g., crm._domainkey and corp._domainkey) helps in isolating and troubleshooting authentication issues for specific senders. See common DKIM selectors and how to use them.
• Domain and IP reputation: While DKIM is about authentication, a consistent low DKIM success rate can indirectly impact your domain and IP reputation, leading to broader deliverability issues.

Key findings

• DKIM verification process: DKIM involves signing outgoing emails with a private key and publishing a corresponding public key in DNS. Recipient mail servers use this public key to verify the signature and ensure the message hasn't been tampered with.
• Authentication dashboard: Google Postmaster Tools' Authentication dashboard specifically reports the percentage of your emails that pass SPF, DKIM, and DMARC authentication.
• Message modification: Any alteration to the email headers or body after the DKIM signature is applied will invalidate the signature, leading to a failure.
• DNS records: The DKIM public key must be correctly published in your domain's DNS as a TXT record. Errors in this record or DNS propagation delays can cause failures.

Key considerations

• Selector usage: The DKIM selector in the email header must match the selector used in the DNS TXT record for verification to succeed. Mismatches will result in failure.
• Canonicalization: DKIM specifies canonicalization algorithms (simple/relaxed) for headers and body. Mismatches in how the sending server and receiving server handle whitespace or header order can lead to verification failures. Our article on how to fix DKIM body hash mismatch failures is relevant here.
• Key rotation: Regularly rotating DKIM keys is a security best practice, but improper rotation (e.g., deleting the old key before the new one is fully propagated and adopted by all senders) can cause temporary dips in success.
• RFC compliance: Adherence to RFC 6376 (DKIM Signatures) is essential. Deviations from the standard can lead to authentication failures with various mail receivers.