Suped

Why does G-Suite Check MX toolbox say DKIM is not set up when email headers show DKIM and SPF pass?

Summary

It can be confusing when email authentication results from tools like G-Suite's Check MX Toolbox contradict the authentication results shown in email headers. If your email headers show DKIM and SPF passing, but a tool reports them as not set up, it often indicates a misunderstanding of how these tools operate versus the actual email delivery path.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers frequently encounter discrepancies between online testing tools and actual email header authentication results. This often leads to confusion, especially when their emails are successfully landing in inboxes while tools report issues. Marketers' experiences highlight the importance of understanding the context of email sending, such as whether an ESP is handling authentication or if mail is being sent directly from a G-Suite account.

Marketer view

Marketer from Email Geeks indicates confusion because their G-Suite Check MX toolbox shows "DKIM is not set up" and a red warning for SPF, while live email headers for sends to their Gmail account clearly state DKIM=PASS and SPF=PASS. They question whether this contradiction is expected.

24 Jan 2020 - Email Geeks

Marketer view

Marketer from Email Geeks observes two DKIM signatures in their email headers: one aligning with their own domain and another with their ESP's domain. They confirm that all SPF, DKIM, and DMARC elements in the header appear to point to their domain and seem correct.

24 Jan 2020 - Email Geeks

What the experts say

Email deliverability experts offer critical insights into why tools may present misleading authentication results. They emphasize the importance of distinguishing between how email authentication protocols like SPF and DKIM actually function in transit versus how static DNS checkers interpret domain configurations. Experts often find that the problem lies with the tool's methodology or specific expectations rather than an actual misconfiguration.

Expert view

Expert from Email Geeks suggests that the MX Toolbox might be inaccurate or that the user requested the wrong test. They performed a manual lookup of the DKIM key dkim1024._domainkey.comms.uwe.ac.uk and found it to be functional and correctly set up.

24 Jan 2020 - Email Geeks

Expert view

Expert from Email Geeks confirms that the DMARC record appears to be fine, although they personally prefer to include spaces between all settings for readability, noting that a semicolon is technically sufficient.

24 Jan 2020 - Email Geeks

What the documentation says

Official documentation and technical resources explain the intricacies of email authentication protocols like SPF, DKIM, and DMARC. These sources clarify the distinct roles of each protocol, how they interact, and the mechanisms by which receiving mail servers validate them. Understanding these foundational principles helps demystify why discrepancies can arise between simple DNS lookup tools and the complex authentication processes that occur during email transmission.

Technical article

Documentation from Email on Acid states that a DKIM signature helps mailbox providers verify the sender's identity while simultaneously preventing phishing attacks, which are often characterized by email spoofing. This highlights DKIM's dual role in authentication and security.

15 Mar 2017 - Email on Acid

Technical article

Esecurity Planet documentation clarifies that DKIM only functions when email servers are specifically configured to check for DKIM signatures or utilize security tools that perform this validation. Servers have the option to bypass DKIM checks if they choose.

01 May 2023 - eSecurity Planet

4 resources

Start improving your email deliverability today

Get started