Summary
The G-Suite Check MX toolbox might incorrectly indicate that DKIM is not set up, despite email headers showing DKIM and SPF as passing, due to a combination of factors. These include: potential issues with MXToolbox itself (caching, glitches, using the wrong test), DNS-related problems (propagation delays, incorrect domain being tested, querying from the wrong location, DNS syntax errors), DKIM configuration issues (missing or incorrect DKIM selector, using multiple DKIM keys with ESPs, focusing on branded keys only), SPF record problems (missing SPF records, or needing Google-specific SPF records when sending via Google), and the inherent differences in how various DNS checkers operate. Manual verification of DKIM records and careful attention to DNS setup are crucial for accurate assessment.
Key findings
- MXToolbox Issues: MXToolbox might be caching old data, experiencing glitches, or using an incorrect test, leading to false negatives.
- DNS Propagation: DNS changes take time to propagate; the MXToolbox might be checking before propagation is complete.
- Domain Mismatch: Ensure the domain being tested in MXToolbox exactly matches the sending domain.
- Multiple DKIM Keys: ESPs might use their own DKIM key in addition to a branded key. MXToolbox might only be checking for one.
- SPF Configuration: If sending from Google Workspace, specific SPF records are required. Missing SPF records can also be a factor.
- Incorrect DKIM Selector: Using an incorrect DKIM selector in the DNS record will cause validation failures.
- DNS Query Location: The DNS record must be queried from the correct location to obtain accurate results.
- Checking differences: Different checkers use different underlying code and query from different locations, which can sometimes lead to inconsistencies in the results they display
Key considerations
- Manual Verification: Use command-line tools (dig, nslookup) to manually verify DKIM configuration and bypass potential tool limitations.
- DKIM Signature Inspection: Inspect the 'd=' and 's=' tags in the DKIM signature of email headers to ensure consistency with DNS records.
- Google Workspace Guide: If using Google Workspace, follow the official setup guide meticulously, including key generation, TXT record addition, and DKIM enabling.
- DNS Syntax: Carefully check DNS records for syntax errors (extra spaces, missing quotes). Utilize a DNS record checker.
- SPF record review: Review SPF records, if sending from a Google domain or using G-Suite.
- Domain Name Verification: Pay attention to the differences in the domain name of the DKIM = PASS, as it may be the same with SPF
What email marketers say
12 marketer opinions
The G-Suite Check MX toolbox might report that DKIM is not set up even when email headers show DKIM and SPF as passing due to several reasons. These include DNS caching issues with MXToolbox, DNS propagation delays, testing the wrong domain, multiple DKIM keys being used (one by the domain and another by the ESP), the need for specific G-Suite DNS configurations (SPF, DKIM, DMARC), incorrect DKIM selector names, querying DNS records from the wrong location, issues with DNS syntax, and differences in the underlying code used by different DNS record checkers.
Key opinions
- DNS Caching: MXToolbox might be caching old DNS records, leading to inaccurate results. Clear your browser cache or use a different browser.
- DNS Propagation: DNS changes can take up to 48 hours to propagate. The MXToolbox might be checking before the changes are fully visible.
- Domain Verification: Ensure you are testing the correct domain in MXToolbox, matching the domain used to send emails. Typos can lead to incorrect results.
- Multiple DKIM Keys: The email might be signed with multiple DKIM keys, one from your domain and one from your ESP. MXToolbox may only check for your domain's key.
- G-Suite Configuration: G-Suite requires specific DNS configurations (SPF, DKIM, DMARC). Follow Google's official setup guides.
- Incorrect DKIM Selector: An incorrect DKIM selector name in the DNS records can cause validation failures.
- Query Location: Ensure the DNS record is being queried from the correct location to avoid discrepancies.
- SPF Records: Missing SPF records on your sending domain may be an issue, even if not using it as a returnpath. It is advised to add SPF records.
Key considerations
- DNS Syntax: Ensure there are no syntax errors (extra spaces, missing quotes) in the DNS records. Use a DNS record checker.
- Multiple Checkers: Different checkers use different code and query from different locations, leading to inconsistent results. Use multiple tools for verification.
- Record Updates: When setting up SPF and DKIM, double check your values you have copied in the tool match the ones in your DNS records.
- Domain Name: Pay attention to the differences in the domain name of the DKIM = PASS, as it may be the same with SPF
Marketer view
Email marketer from StackExchange explains that MXToolbox sometimes caches old DNS records, leading to inaccurate results. Try clearing your browser cache or using a different browser to see if the issue persists.
12 Feb 2023 - StackExchange
Marketer view
Email marketer from Reddit suggests that DNS propagation delays could be the reason. It can take up to 48 hours for DNS changes to fully propagate across the internet, so the MXToolbox might be checking before the changes are fully visible.
18 Mar 2023 - Reddit
What the experts say
4 expert opinions
The G-Suite Check MX toolbox might incorrectly report DKIM as not set up despite passing email headers for several reasons. Some ESPs sign with both their own and the brand's DKIM keys, and the branded key may be missing. The MX Toolbox itself may be faulty, running the wrong test, or experiencing a temporary glitch. If sending from Google's domain, specific SPF records must be added. Different checkers use different code and query locations, leading to inconsistencies.
Key opinions
- Branded DKIM Key: ESPs may use their own DKIM key in addition to a branded key. Ensure the branded key exists and is properly configured.
- Toolbox Errors: The MX Toolbox may be incorrect due to a glitch, improper test selection, or outdated data.
- SPF Records for Google: If sending from a Google domain, specific SPF records must be added for proper authentication.
- Inconsistent Checkers: Different DNS checkers can produce different results due to varying code, query locations, and update statuses.
Key considerations
- Manual Lookup: Verify DKIM setup manually to confirm tool accuracy. Tools might be faulty.
- SPF Record Review: Verify the SPF record if sending from a Google domain or using G-suite.
- ESP Configuration: Review configuration with your ESP regarding DKIM keys and ensure the right key is used.
Expert view
Expert from Word to the Wise explains that different checkers use different underlying code and query from different locations, which can sometimes lead to inconsistencies in the results they display. It's possible the MX Toolbox is experiencing a temporary glitch or is querying a DNS server that hasn't yet updated.
24 Aug 2023 - Word to the Wise
Expert view
Expert from Email Geeks explains if you plan on sending from Google with that domain, you need to add them to your SPF record. The current record is `<http://comms.uwe.ac.uk|comms.uwe.ac.uk>. 3600 IN TXT "v=spf1 include:<http://spf.dotmailer.com|spf.dotmailer.com> -all"`
19 Jul 2023 - Email Geeks
What the documentation says
3 technical articles
If G-Suite Check MX toolbox shows DKIM is not set up, despite email headers passing DKIM and SPF, it is advisable to manually verify the DKIM setup. This can be achieved by using command-line tools like `dig` or `nslookup` to query DNS records directly, or by manually inspecting the DKIM signature in the email header, particularly the 'd=' and 's=' tags. Following Google Workspace's official DKIM setup guide is also crucial to ensure proper configuration, including key generation, TXT record addition, and enabling DKIM signing.
Key findings
- Manual DNS Query: Command-line tools can bypass issues with online testing tools by directly querying DNS records.
- DKIM Signature Inspection: Manually inspect the 'd=' and 's=' tags in the DKIM signature to verify they match the DNS record.
- Google Workspace Guide: Following Google's official setup guide ensures proper DKIM configuration within Google Workspace.
Key considerations
- DNS Record Accuracy: Confirm that the values obtained from DNS queries match the DKIM signature details.
- Key Management: Ensure the DKIM key is properly generated and enabled within Google Workspace settings.
- TXT Record Propagation: Verify the TXT record for DKIM has fully propagated across DNS servers.
Technical article
Documentation from RFC6376 explains the precise format of a DKIM signature in the email header. You can manually inspect the 'd=' (domain) and 's=' (selector) tags to ensure they match your DKIM record.
11 Mar 2023 - RFC Editor
Technical article
Documentation from DKIM.org explains that you can use command-line tools like `dig` or `nslookup` to manually query the DNS records and verify the DKIM configuration. This can bypass any potential issues with online testing tools.
7 Oct 2023 - DKIM.org
How can I troubleshoot DMARC failures and identify the cause of authentication issues?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I fix the MXtoolbox SPF record DNS lookup limit exceeded error?
What does SPF neutral mean and how do I fix a broken SPF record?
Why does DKIM authentication sometimes fail with certain ISPs or receivers like Barracuda and Proofpoint?
Why does MXToolBox say my DKIM Signature is not verified?
