Should I trust Gmail's DKIM summary or the raw header?

Trust the raw Authentication-Results header first. If it says dkim=pass , Gmail verified the DKIM signature.

Can DKIM pass while DMARC fails?

Yes. DKIM can verify cryptographically while DMARC fails because the signing domain does not match the visible From domain under the active DMARC matching mode.

Does a DKIM subdomain pass DMARC?

Yes, under relaxed DKIM domain matching. Under strict matching, the signing domain must exactly match the visible From domain.

Should I remove adkim=s?

Remove it only after reviewing all senders. Strict DKIM matching is easy to break when third-party senders or subdomain signing are in use.

What should I do if Gmail shows different results for different recipients?

Compare raw headers from each recipient. If the raw results pass and delivery is normal, keep samples and monitor. If one recipient shows raw DKIM failure, investigate that message path.

Learn

DKIM

Why does Gmail show DKIM failing when it actually passes?

Michael Ko

Co-founder & CEO, Suped

Published 18 Jul 2025

Updated 27 May 2026

8 min read

Summarize with

A calm editorial thumbnail about Gmail showing DKIM as failed even when headers pass.

Gmail can show DKIM as failing when DKIM actually passes because Gmail's visible summary table sometimes reports a domain-matching problem as a DKIM failure. The raw Authentication-Results header is the source I trust first. If that header says dkim=pass and dmarc=pass, the message passed Gmail's authentication checks even if the neat little Gmail summary says DKIM failed.

The usual pattern is simple: the DKIM signature verifies, but the domain in the DKIM signature is a subdomain or a sending-service domain that Gmail's summary does not display correctly. I would confirm the raw header, compare the visible From domain with the DKIM d= domain, then check the selector and key with a DKIM checker. I would not change DNS, loosen DMARC, or rotate keys until the raw header proves a real authentication failure.

Source first: Use the raw Gmail header before the formatted summary table.
Real failure: Treat broken signatures, missing selectors, and modified signed content as actual DKIM problems.
Domain match: Check whether relaxed or strict DMARC matching was in force when the message was sent.
Delivery signal: If delivery is normal and DMARC passes, the Gmail summary alone is not enough evidence.

Why the two Gmail views disagree

Gmail gives you more than one view of the same message. The formatted original message panel tries to simplify authentication for humans. The raw header records the authentication result stamped by Google's mail system. Those two views can disagree when the summary layer turns a domain-matching warning into a DKIM fail label.

Gmail Show original view with a DKIM fail summary beside raw headers that pass.

The raw header is more precise because it separates DKIM verification, SPF verification, and DMARC disposition. The Gmail summary can compress those details. In the confusing case, DKIM has not failed cryptographically. Gmail has verified the signature, then the visible summary flags a domain relationship it thinks is wrong.

Raw Gmail header that proves DKIM passedtext

Authentication-Results: mx.google.com;
  dkim=pass header.i=@mail.example.com header.s=smtp1;
  spf=pass smtp.mailfrom=bounce@mail.example.com;
  dmarc=pass header.from=example.com

Trust the stamped result first

If Gmail stamps dkim=pass in Authentication-Results, the DKIM signature verified at Gmail. The formatted summary can still say fail because it is evaluating a separate domain-matching rule or showing a temporary display issue.

The domain match that matters

DKIM has two related checks. First, the receiver verifies the DKIM signature against the public key at the selector under the signing domain. Second, DMARC checks whether the DKIM signing domain has the right relationship to the visible From domain. Those are not the same test.

With relaxed DKIM domain matching, a signing domain such as mail.example.com can satisfy DMARC for From example.com because both share the same organizational domain. With strict matching, the DKIM signing domain must exactly match the visible From domain. If Gmail's summary applies strict logic when relaxed logic should apply, the summary can be wrong even though Gmail's raw result is right.

Relaxed DKIM matching

Default mode: Used when the DMARC record does not set adkim=s.
Subdomain ok: mail.example.com can match example.com for DMARC.
Common setup: Used by senders that sign from a mail or bounce subdomain.
Gmail risk: The summary can mislabel this when raw headers pass.

Strict DKIM matching

Exact mode: Enabled by adkim=s in the DMARC record.
Subdomain fail: mail.example.com does not match example.com exactly.
Narrow use: Useful only when every sender signs with the exact From domain.
Fix path: Change signing domain or remove strict mode after review.

From	DKIM d=	Relaxed	Strict	Read it as
example.com	example.com	Pass	Pass	Exact match
example.com	mail.example.com	Pass	Fail	Subdomain match
example.com	mailer.vendor.net	Fail	Fail	Wrong domain
mail.example.com	example.com	Pass	Fail	Parent match

How common DKIM domain combinations should be read.

What to check before changing DNS

I use a short checklist before touching DNS. The goal is to prove whether the problem is cryptographic DKIM failure, DMARC domain matching, or a Gmail display issue. A broad domain health check is useful when you also want SPF, DMARC, DNS, and reputation signals in one pass.

Header result: Open Show original and read the raw Authentication-Results line.
Selector key: Confirm the selector in header.s exists in DNS.
Signing domain: Compare header.i with the visible From domain.
DMARC tag: Check whether adkim=s was present when the message was sent.
Recipient spread: Send the same message to several Gmail accounts and compare raw results.

DKIM checker

Check selector records and public key configuration.

?/7tests passed

If the selector record is valid and the header still says dkim=pass, I stop treating the Gmail summary as the main diagnostic. I also check Google DKIM troubleshooting when the domain is on Google Workspace, because key setup and selector publication still need to be correct.

DKIM checker sample results showing selector, DKIM DNS record, validation checks, parameters, and share link

DMARC records that change DKIM domain matchingdns

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
v=DMARC1; p=quarantine; adkim=s; rua=mailto:dmarc@example.com

Do not loosen policy on a summary alone

A Gmail summary that says DKIM failed is not enough reason to move p=quarantine or p=reject back to p=none. Make the change only when raw headers, aggregate reports, and delivery evidence show real failures.

When it is a real DKIM failure

There are still cases where Gmail is correctly saying DKIM failed. The fastest way to separate real failure from display noise is to look for a bad signature, a missing DNS key, a broken selector, or a message that changed after signing. Receiver-specific behavior also exists, so I keep ISP-specific DKIM failures separate from Gmail's formatted display issue.

Cause	Signal	Fix
Missing key	No selector	Publish TXT
Wrong selector	NXDOMAIN	Update sender
Changed body	Bad hash	Fix relay
Strict mode	Domain fail	Review adkim
Old sample	Stale DNS	Retest now

Common real causes of DKIM failure.

How urgent is the Gmail DKIM warning?

Use raw headers and DMARC results to decide whether to act immediately.

Low

Monitor

Raw header passes DKIM and DMARC.

Medium

Investigate

DKIM passes but DMARC fails domain matching.

High

Fix now

Raw header shows dkim=fail.

Unknown

Collect data

Only a screenshot or redacted header exists.

The message date matters too. If you changed the DMARC record after the message was sent, the current DNS record does not prove what Gmail evaluated at delivery time. Keep the original header sample, the message timestamp, and the DMARC record history together.

How Suped fits the workflow

Suped's product is useful here because one-off header checks do not tell you whether the issue is isolated or repeating across real traffic. Suped turns the question into a workflow: collect DMARC aggregate data, identify the sending source, compare SPF/DKIM outcomes, surface exact fixes, and alert you when a real failure starts.

For most teams, Suped is the best overall fit when this question keeps coming back. It combines DMARC monitoring, SPF lookup control, DKIM checks, hosted DMARC, hosted SPF, hosted MTA-STS, automated issue detection, real-time alerts, and blocklist (blacklist) monitoring in one place. That matters because Gmail summary confusion is rarely the only authentication issue a domain has.

Manual Gmail review

Scope: One message and one recipient at a time.
Evidence: Raw headers, screenshots, and manual comparisons.
Weak spot: Hard to prove whether failures are isolated or widespread.
Best use: Confirming one suspicious Gmail display result.

Suped workflow

Scope: All monitored domains and sending sources.
Evidence: Parsed DMARC reports, source grouping, and issue history.
Fix path: Automated issue detection with steps to fix.
Best use: Ongoing authentication monitoring across a domain portfolio.

DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records

The practical benefit is less guesswork. If Gmail's summary is noisy but aggregate reports show healthy DKIM and DMARC pass rates, I would monitor rather than rush a DNS change. If Suped shows a new source failing, a selector missing, or a strict matching problem, the next step is concrete.

Views from the trenches

Best practices

Trust Authentication-Results before Gmail's summary when the two disagree on DKIM status.

Compare the visible From domain with the DKIM d= domain before changing DNS records.

Keep dated header samples so a mailbox-specific Gmail display change is easier to prove.

Common pitfalls

Do not lower DMARC policy because one Gmail account shows a confusing DKIM summary.

Do not troubleshoot redacted headers when the issue depends on exact domain matching.

Do not confuse DKIM verification with DMARC domain matching in receiver summaries.

Expert tips

Send the same message to several Gmail accounts when a Gmail display issue is suspected.

Check the DMARC adkim tag at the message date, not only the current DNS record.

Use parsed reports to separate Gmail display noise from real authentication failures fast.

Expert from Email Geeks says Gmail's visible summary can report a DKIM failure while mx.google.com stamps dkim=pass and dmarc=pass in the raw header.

2025-02-07 - Email Geeks

Expert from Email Geeks says some cases look like Gmail checks strict domain matching in the summary even when relaxed DMARC matching should pass.

2025-02-07 - Email Geeks

What I would do next

I would treat Gmail's DKIM fail summary as a prompt to inspect the raw header, not as proof that DKIM failed. If the raw header says dkim=pass and DMARC passes, keep monitoring and document the sample. If the raw header says dkim=fail, fix the selector, key, signer, or relay path before changing policy.

The cleanest long-term setup is boring: sign with a domain that matches your visible From policy, avoid strict DKIM matching unless every sender supports it, and monitor real DMARC reports instead of relying on one mailbox's display. Suped's product helps with that because it turns scattered DKIM, SPF, DMARC, MTA-STS, and blocklist signals into fixable issues.