Why is DKIM failing when sending from Salesforce via Gmail?

Key findings

• Body alteration: A common cause for DKIM failure is the modification of the email body after the DKIM signature has been applied. This can occur when an intermediary mail service (like Google's SMTP relay) processes the email.
• Signing entity: When using Salesforce to compose and Gmail for sending via SMTP relay, Salesforce typically applies the DKIM signature. Gmail then acts as a relay, but may inadvertently alter the message content.
• Content encoding: Issues with non-standard character sets, Unicode characters, or even simple conversions like tabs to spaces can lead to DKIM body hash mismatches, as Google might attempt to normalize the content.
• Template issues: The email template used in Salesforce could contain elements or encoding that are not cleanly passing through the Gmail outbound process, causing subtle changes that invalidate the DKIM signature.

Key considerations

• Examine headers: Always inspect the full email headers for authentication results to confirm which domain is signing the DKIM and pinpoint the exact error message (e.g., body hash failure).
• Simplify content: Test sending a very basic email, ideally pure ASCII text (hello world), to determine if the issue is content-related or a more fundamental configuration problem.
• Salesforce DKIM setup: Ensure your Salesforce DKIM configuration is optimal. Some reports suggest that reducing the DKIM key length to 1024 bits can help resolve issues with Google rejections, as highlighted on Marc's Security Blog.
• Leverage support: If basic troubleshooting fails, opening a ticket with Salesforce support is crucial, as they have the internal knowledge to diagnose how their system interacts with external SMTP relays like Gmail.

Key opinions

• DKIM verification: Marketers frequently verify their DKIM records using online checkers, which may show a passing status, yet live email sends still fail due to body hash issues. This suggests the problem isn't with the DKIM record itself, but its application or post-signing modification.
• Content impact: There's a strong suspicion that special characters or complex formatting in email templates, especially when originating from Salesforce, could be improperly encoded or handled by Gmail, leading to DKIM signature breaks.
• Support perception: Some marketers express a reluctance to engage with platform support teams, feeling that community forums or self-diagnosis often yield more helpful or faster solutions for intricate deliverability problems.
• Complexity of deliverability: The overall sentiment is that email deliverability, especially involving multiple platforms, is highly complex and often feels like an X-Files-like mystery to solve, as one email marketer observed.

Key considerations

• Isolate the source: Determine if the DKIM failure occurs only when sending through Salesforce and Gmail, or if it also happens when sending directly from Gmail or Salesforce alone. This helps pinpoint where the modification is occurring.
• Header analysis: Familiarize yourself with dissecting email headers to identify the DKIM signing domain (d=) and the authentication results, which will indicate where and why the DKIM check failed.
• Check return-path alignment: Be aware that Salesforce may use its own domain in the Return-Path address, which can cause DMARC failures related to SPF alignment, as explained by AutoSPF.
• Seek community assistance: For complex or niche issues, online communities and forums often provide valuable insights and practical solutions from peers who have encountered similar problems.

Key opinions

• Signature origin: Experts confirm that when using a Salesforce to Gmail SMTP relay, Salesforce is the entity applying the DKIM signature. Google then verifies it. The failure implies a change occurred during or after the relay.
• Content normalization: Issues with content encoding, such as Unicode characters or variations in white space (tabs to spaces), can lead to Google correcting the message body, which then invalidates the Salesforce-applied DKIM signature.
• Troubleshooting methodology: Systematic testing, starting with plain ASCII emails, is recommended to rule out content encoding as the root cause. If simple emails still fail, it points to a more fundamental issue requiring platform-specific investigation.
• Platform support necessity: Despite a general sentiment about unhelpful support, experts emphasize that for complex integrations like Salesforce and Gmail SMTP relay, engaging directly with Salesforce support is often necessary, as they should possess the expertise to resolve such issues.

Key considerations

• Identify signing domain: Always verify the DKIM signing domain (d= field in the Authentication-Results header) to confirm which system is applying the signature, as this directs where to focus troubleshooting efforts.
• Examine content path: Consider the entire journey of the email body from creation in Salesforce to relay via Gmail. Any point where the content might be reformatted or touched by an intermediary system can introduce subtle changes that break the DKIM hash.
• DKIM key length: For specific issues with Google rejecting DKIM-signed messages from Salesforce, some experts have found success by reducing the DKIM key length from 2048 to 1024 bits, as detailed on Marc's Security Blog. It's worth testing if applicable to your setup.
• Alternative signing: As a troubleshooting step, disabling Salesforce's DKIM signing temporarily and allowing Google Workspace to sign the mail instead can help determine if the issue is specific to Salesforce's signing process or the relay itself. For more advanced troubleshooting, exploring tools like Suped's email authentication troubleshooting tools can be beneficial.

Key findings

• DKIM purpose: Documentation confirms that DKIM aims to ensure an email remains unaltered during its journey from the sender to the recipient's mail server, adding a digital signature that recipients can check for authenticity.
• Salesforce setup: Setting up DKIM for Salesforce typically involves navigating to the DKIM Key record in Salesforce, generating CNAME records, and then publishing these in your DNS. This process links your domain to Salesforce for signing.
• Authentication standards: DKIM, along with SPF and DMARC, forms the backbone of email authentication. Proper configuration of all three is essential to improve email deliverability and avoid being blocklisted or flagged as spam.
• Failure implications: If DKIM validation checks fail, many email service providers will raise an alarm, potentially rejecting the email or delivering it to the spam folder, impacting overall inbox placement.

Key considerations

• DNS configuration: Pay close attention to the CNAME record setup for Salesforce DKIM. Errors in copying or publishing these records can lead to DKIM failures. Incorrect DNS entries are a common source of problems.
• SMTP relay awareness: When using an SMTP relay service like Gmail's, understand that Salesforce signs the email before handing it off. Any modifications made by the relay can cause DKIM body hash failures. Consider whether the relay service might be altering content or headers.
• DMARC alignment: Ensure that your SPF and DKIM implementations align with your DMARC policy. Salesforce's default Return-Path can sometimes lead to SPF alignment issues if not properly managed for DMARC.
• Check character sets: Review email content for non-standard character sets or encoding issues that could lead to subtle body modifications when processed by various email systems, as this is a known cause for DKIM body hash verification failures.