Why are my DKIM and DMARC failing in Gmail, and how can I fix it?

Key findings

• Sender-side changes: DKIM and DMARC failures in Gmail are most frequently caused by changes or misconfigurations on the sender's email infrastructure, rather than new Gmail policies. This includes DNS record issues or changes in email service providers.
• Authentication alignment: DMARC requires either SPF or DKIM to align with the domain in the From header. If both fail alignment (or pass but don't align), DMARC will fail. Even if DKIM passes its cryptographic check, Gmail may report it as 'failed' in its compliance dashboard if it doesn't align with the 5322.From address.
• Gmail's strictness: While the core issue is sender-side, Gmail's increased focus on email authentication (especially the new sender requirements from February 2024) makes proper configuration and alignment more critical than ever. Lack of alignment can now lead to stricter treatment, including emails going to spam.
• Impact on deliverability: Emails failing DMARC or DKIM alignment are highly likely to land in the spam folder or be rejected by Gmail's filters, directly affecting your email deliverability rates.

Key considerations

• Check email headers: Thoroughly examine the Authentication-Results section of your email headers. This provides detailed information on why DKIM or DMARC failed, differentiating between a true signature failure and an alignment issue.
• Verify DNS records: Ensure your SPF, DKIM, and DMARC DNS records are correctly published and configured. Any syntax errors or missing records can lead to failures.
• Ensure DMARC alignment: Confirm that your DMARC record is set up for alignment. This means the domain in your DKIM d= tag or SPF Return-Path must match your From header domain.
• Monitor DMARC reports: If you have a DMARC record with a RUA tag, regularly review your aggregate reports. These reports provide insights into authentication results across various receivers, helping identify sources of failure. You can learn more about understanding and troubleshooting DMARC reports from Google and Yahoo.
• Engage with senders: If you are a recipient experiencing these failures, notify the sender. They are responsible for correcting their email authentication setup.

Key opinions

• Sender responsibility: Many marketers believe that if DKIM or DMARC are failing, the issue almost certainly lies with the sender's email configuration or sending practices, not with Gmail changing its validation process.
• Misinterpretation of 'fail': Marketers frequently note that Gmail's compliance dashboard might report DKIM as 'failed' not because the signature is invalid, but because the DKIM domain (d= tag) doesn't align with the 5322.From address. This is a crucial distinction.
• New alignment directives: There's a strong consensus that recent increases in failures are linked to Google's must align directive from October 2023, which is now being more rigorously enforced.
• 'Via' tag concerns: Some marketers are observing DKIM non-alignment even when DMARC passes, resulting in Gmail adding a 'via' tag. This raises questions about its impact on perceived sender trustworthiness and deliverability.

Key considerations

• Proactive monitoring: Marketers should regularly use tools to check their email headers and authentication status. This helps in quickly identifying issues before they severely impact inbox placement.
• Understand DMARC alignment: It is crucial to understand that DMARC failing often means a lack of alignment, not necessarily a broken record. This is a common point of confusion. For more information, see our guide on DMARC alignment failures.
• Verify SPF and DKIM: Always ensure SPF and DKIM records are correctly set up and maintained, including proper syntax and alignment. This is fundamental for DMARC to pass.
• Address 'via' tags: Even if DMARC passes, the presence of a 'via' tag can diminish recipient trust. Marketers should aim for full alignment to remove this tag and strengthen their sending reputation. Learn more about why emails go to spam.
• Engage with ESPs: If using an email service provider, work with their support to ensure proper authentication and alignment are configured for your sending domain.

Key opinions

• Sender-side root cause: Experts consistently point out that if authentication was previously passing and now fails, the problem originates from changes made by the sender, such as alterations to their email platform or DNS records.
• DMARC alignment is key: A common cause for DMARC failure (even if DKIM passes its cryptographic check) is the lack of domain alignment between the DKIM d= domain or SPF Return-Path domain and the 5322.From address. This misalignment is what Gmail flags.
• New Gmail requirements impact: The increase in visible failures is attributed to Google's (and Yahoo's) Sender Requirements from October 2023, which demand stronger authentication and alignment. This means issues that might have gone unnoticed before are now causing delivery problems.
• Ignoring DMARC reports: Many senders implement a DMARC policy (e.g., p=none) but fail to monitor the aggregate (RUA) reports. This prevents them from knowing if their emails are properly authenticating and aligning before stricter policies are implicitly or explicitly enforced by receivers.

Key considerations

• Review full headers: Always dig into the raw email headers, specifically the Authentication-Results section, to get the precise reason for failure. This clarifies whether it's a signature problem or an alignment problem. Our guide on DMARC failure even when SPF and DKIM pass can provide more insights.
• Correct alignment: Prioritize ensuring that your DKIM and SPF domains align with your 'From' header domain. This is non-negotiable for achieving DMARC pass and optimal Gmail inbox placement.
• Utilize DMARC reports: Implement DMARC with RUA (aggregate report) and RUF (forensic report) tags to gain visibility into your email authentication status. These reports are invaluable for diagnosing issues. Learn how to use our free DMARC record generator to get started.
• Proactive policy changes: Before moving a DMARC policy to p=quarantine or p=reject, ensure that all legitimate email streams are authenticating and aligning correctly. Gradual transitions are recommended.
• Google Postmaster Tools: Utilize Google Postmaster Tools for insights into your domain's reputation, spam rate, and authentication errors specifically with Gmail.

Key findings

• DMARC policy enforcement: Documentation states that the DMARC policy (defined by 'p=none', 'p=quarantine', or 'p=reject') dictates how receiving servers should handle messages that fail SPF and DKIM authentication. This directly influences inbox placement versus spam or rejection.
• Authentication alignment requirement: For DMARC to pass, at least one of SPF or DKIM must 'align' with the organizational domain found in the email's From header. This alignment is a critical, often overlooked, component.
• Impact of recent updates: Recent updates by major mailbox providers, such as those from Google in February 2024, make DMARC (and its underlying SPF/DKIM alignment) mandatory for bulk senders and highly recommended for all. Failure to meet these standards leads to messages being rejected or sent to spam.
• DMARC reporting: Documentation outlines the importance of DMARC aggregate (RUA) and forensic (RUF) reports. These reports provide invaluable feedback on authentication results, allowing senders to identify and troubleshoot issues before they impact email delivery.

Key considerations

• Accurate DNS records: Ensure that SPF, DKIM, and DMARC DNS records are correctly formatted, published, and accessible. Errors or omissions in these records are primary causes of authentication failures. Consult our guide on DMARC tags for correct syntax.
• Implement DMARC: If not already implemented, set up a DMARC record, starting with a 'p=none' policy to monitor authentication results without impacting delivery, then gradually move to stricter policies. See simple DMARC examples.
• Verify DKIM signing: Confirm that your emails are actually being signed with DKIM by your sending service. A DKIM record in DNS is not enough; the email must be properly signed during transmission.
• Monitor DMARC reports: Regularly analyze DMARC reports to identify authentication failures, unauthorized sending sources, and areas for improvement in your email configuration. This proactive approach helps maintain optimal deliverability.
• Stay updated: Keep abreast of updates and requirements from major mailbox providers. Authentication standards evolve, and staying informed is key to consistent deliverability.