Summary
DKIM failures when sending emails from Salesforce through Gmail are a multifaceted issue stemming from content modification by Gmail's SMTP relay, character encoding discrepancies between Salesforce and Gmail, incorrect DNS settings, DKIM alignment problems, forwarding issues, and misconfigured Gmail/Salesforce setups. Resolutions involve ensuring content integrity during transmission, proper DKIM configuration across platforms, consistent character encoding practices, DNS record verification, header analysis, testing with plain text emails, and potentially disabling Salesforce's DKIM signing.
Key findings
- Content Modification: Gmail's SMTP relay and other services modify email content after Salesforce signs it, invalidating the DKIM signature due to a body hash mismatch.
- Encoding Discrepancies: Different character encodings between Salesforce and Gmail can alter the email body, leading to DKIM failures.
- Configuration Errors: Incorrectly configured Gmail settings, DNS records, and DKIM setups in both Salesforce and Gmail contribute to DKIM failures.
- Alignment Issues: DKIM alignment problems, where the domain in the DKIM signature doesn't match the 'From:' header domain, can cause verification failures.
- Forwarding Breaks DKIM: The act of forwarding an email can result in DKIM signatures failing because content is changed
Key considerations
- Maintain Content Integrity: Ensure email content remains unchanged during transmission to preserve DKIM validity, potentially by adjusting DKIM configurations.
- Implement Consistent Encoding: Use consistent character encoding (e.g., UTF-8) between Salesforce and Gmail.
- Validate DNS Settings: Verify DNS TXT records for DKIM are correctly configured and fully propagated.
- Perform Header Analysis: Analyze email headers to pinpoint where alterations are occurring.
- Test Basic Emails: Test with simple, plain ASCII text emails to isolate encoding issues.
- Review Configurations: Thoroughly review DKIM, Salesforce, and Gmail configurations to ensure correct setups.
- Assess DKIM Alignment: Confirm that the 'd=' tag in the DKIM signature aligns with the domain used in the 'From:' header.
- Consider Alternative Signing: Disable Salesforce DKIM signing and let Google Workspace sign instead to see if that fixes the issue.
- Raise Support Ticket: Raise a support ticket with Salesforce.
What email marketers say
8 marketer opinions
DKIM failures when sending emails from Salesforce through Gmail often arise from several interconnected issues. These include Gmail's SMTP relay modifying email content after Salesforce has applied its DKIM signature, encoding differences between Salesforce and Gmail leading to altered email bodies, misconfigured Gmail settings, incorrect DNS records, and alignment issues between the DKIM signature's domain and the 'From:' header. Analyzing email headers is crucial for identifying where the alteration occurs, and ensuring proper configuration and consistent encoding practices are essential for resolving the problem.
Key opinions
- Content Modification: Gmail's SMTP relay might modify the email body after Salesforce signs it, invalidating the DKIM signature.
- Encoding Issues: Character encoding differences between Salesforce and Gmail can alter the email body, causing DKIM failure.
- Configuration Problems: Incorrectly configured Gmail settings can interfere with DKIM signatures.
- DNS Settings: Incorrectly configured or unpropagated DNS TXT records for DKIM can cause verification failures.
- Alignment Problems: DKIM alignment issues, where the domain in the DKIM signature doesn't match the 'From:' header domain, can lead to failures.
- Forwarding Issues: The act of forwarding or relaying via Gmail breaks the DKIM signature because of modifications
Key considerations
- Check Configuration: Ensure DKIM keys are correctly configured in both Salesforce and Google Workspace.
- Consistent Encoding: Use consistent character encoding (e.g., UTF-8) between Salesforce and Gmail.
- Analyze Headers: Perform a full analysis of email headers to identify where the DKIM signature is being altered.
- Verify DNS Records: Verify that the DNS TXT record for DKIM is correctly configured and fully propagated.
- Test Simple Emails: Send simple emails with plain ASCII text to isolate character encoding issues.
- Evaluate Gmail Settings: Review Gmail SMTP relay settings for potential DKIM-related conflicts.
- Signature Alignment: Confirm the d= tag in the DKIM signature matches the domain used in the From: header.
Marketer view
Email marketer from EmailOnAcid suggests that Salesforce and Gmail should be properly configured to handle DKIM signatures. If Salesforce is signing the email, Gmail needs to be configured to respect that signature and not alter the email content after it's been signed.
6 Sep 2023 - EmailOnAcid
Marketer view
Email marketer from StackExchange explains that forwarding can break DKIM. When an email is forwarded, the content is often modified, causing the DKIM signature to become invalid. When sending from Salesforce via Gmail, Salesforce signs it, but Gmail forwards it on, it breaks the signature.
25 Sep 2021 - StackExchange
What the experts say
4 expert opinions
Experts attribute DKIM failures when sending from Salesforce via Gmail to Google modifying the email body after Salesforce signs it, causing the DKIM hash to be invalid. Character encoding differences between Salesforce and Gmail can also lead to alterations in the email body, further contributing to DKIM failures. Testing with plain text emails, disabling Salesforce DKIM signing in favor of Google Workspace, and opening a support ticket with Salesforce are potential solutions.
Key opinions
- Content Modification by Google: Google (Gmail) modifies the email body after Salesforce signs it, invalidating the DKIM signature.
- Character Encoding Issues: Different character encodings between Salesforce and Gmail lead to alterations in the email body.
Key considerations
- Test Plain Emails: Send very plain (ASCII) emails to rule out character encoding problems.
- Disable Salesforce DKIM: Disable Salesforce DKIM signing and let Google Workspace sign the emails instead.
- Open Salesforce Ticket: Open a support ticket with Salesforce to investigate potential configuration issues.
- Ensure Transmission Integrity: Make sure email is transmitted in a way that preserves content, or adjust the DKIM config to accomodate gmail handling
- Consistent Character Encoding: Ensure consistent character encoding (e.g., UTF-8) throughout the sending process.
Expert view
Expert from Email Geeks suggests that the DKIM signature failing is likely due to Google modifying the body after Salesforce signs it. The expert suggests sending a very plain email as a test and opening a ticket with Salesforce.
17 Jul 2021 - Email Geeks
Expert view
Expert from Spam Resource explains that when sending from Salesforce via Gmail, a DKIM failure often stems from Gmail modifying the email's content after Salesforce has signed it. This alteration, even if minor, invalidates the DKIM signature because the cryptographic hash no longer matches the email body. Potential solutions are ensuring the message is transmitted in a way that preserves the integrity of the content or adjusting the DKIM configuration to accommodate Gmail's handling.
16 Mar 2025 - Spam Resource
What the documentation says
5 technical articles
Documentation sources consistently indicate that DKIM failures when sending from Salesforce via Gmail are primarily due to modifications of the email content after the DKIM signature is applied. This alteration, which can occur through Gmail's SMTP relay service or other intermediaries, invalidates the signature as the body hash no longer matches. Additionally, incorrect DNS records and improper DKIM setup are identified as potential contributing factors.
Key findings
- Content Modification: Gmail's SMTP relay or other services can modify the email body after DKIM signing, leading to verification failure.
- Body Hash Mismatch: A common error is the body hash not verifying, indicating that the message body has changed since the signature was generated.
- Incorrect DNS Records: Improperly configured or unpropagated DNS records for DKIM can cause the signature verification to fail.
- Improper DKIM Setup: Incorrect setup and maintenance of DKIM records causes DKIM to fail to authenticate.
Key considerations
- Preserve Content Integrity: Ensure the email content remains unchanged during transmission to maintain DKIM validity.
- Verify DNS Configuration: Check that DNS records for DKIM are correctly configured and fully propagated.
- Review DKIM Setup: Carefully review the entire DKIM setup, including key generation, signing procedures, and verification processes.
- Monitor SMTP Relay: Monitor the SMTP relay service (e.g. Gmail SMTP relay) to verify whether it's modifying the email
Technical article
Documentation from DKIM.org mentions that common DKIM errors are often due to issues with the body hash not verifying. This indicates that the message body has changed since the signature was generated.
7 Dec 2021 - DKIM.org
Technical article
Documentation from Salesforce Help explains that a common cause of DKIM failure is modification of the email content after it has been signed. This can occur if Gmail alters the message body during transmission, causing the DKIM hash to no longer match the content.
7 Nov 2024 - Salesforce Help
Can DKIM be set up on a subdomain, and which domain should be used for signing?
How do I align SPF and DKIM in Salesforce Service Cloud, and is it necessary if DKIM is already aligned?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I fix DKIM failing body hash verification?
How do I set up DKIM on G Suite for outgoing mail, especially when using multiple email services?
How do I set up SPF and DKIM records for new subdomains when using third-party email services?
