Troubleshoot DKIM issues

Follow the troubleshooting steps in this article if messages sent from your domain are:

  • Not passing DKIM authentication
  • Rejected by receiving servers
  • Sent to recipients’ spam folders

Many DKIM issues can be identified and resolved by following the steps in this article.

On this page

Verify DKIM is set up correctly

Verify DKIM is set up correctly by following the steps in Set up DKIM.

Verify messages pass DKIM authentication

You can look at the message headers in email to see whether messages sent from your domain pass DKIM authentication checks.

Recommended steps:

  • Check the headers in a message sent from your domain to verify it passed DKIM.
  • If the message doesn't pass DKIM authentication, try sending to another recipient, for example a personal Gmail address. This can help rule out issues with the receiving server.
  • In Gmail, click Show original for a message, then check the DKIM status in the original message. Learn more about checking message headers in Gmail.
  • Enter message headers into Google Admin Toolbox Messageheader tool and check the DKIM status.

See also Check if your Gmail message is authenticated.

Verify DKIM key is correct at domain provider

Most DKIM TXT records can have up to 255 characters. You can not enter a 2048-bit key as a single text string with a 255-character TXT record limit. Your DKIM key might be truncated, or your DKIM records might be sent out of order.

Recommended steps:

  • If you’re not able to enter your entire DKIM TXT record value as a single text string, follow the steps in Verify your domain providers TXT record character limits.
  • Compare the DKIM TXT record value at your provider with the value in your Admin console, and verify your DKIM key is correct:
    1. Get the DKIM TXT record value from the Admin console, for example google._domainkey.
    2. Go to the Google Admin Toolbox Dig tool.
    3. Click TXT.
    4. Enter the DKIM TXT record value from Step 1, then add a period (.) and your domain name to this value.
      For example, if your domain is example.com and the DKIM TXT record value is google._domainkey, enter: google._domainkey.example.com.
    5. Compare the results to the value in your Admin console. If all key characters are included and in the correct order, the DKIM key can be in 2 parts.

Check message forwarding

Even when DKIM is correctly set up for your domain, forwarded messages can fail DKIM. This can be a result of how a mail server forwards messages.

Recommended step for email senders:

  • Make sure the message wasn’t changed during transit. Find the Authentication-results: header. If the text next to the dkim entry is body hash did not verify, the message was modified during transit.
  • If you use an outbound gateway, make sure it doesn't modify outgoing messages before they're sent. For example, some outbound gateways add a footer to the bottom of every outgoing message. This can cause DKIM to fail because message contents are changed after the message was sent.

Recommended steps for email recipients:

  • Use Email Log Search to verify the message was forwarded. If the person who reported the message as spam isn’t the original recipient, it’s likely the message was forwarded.
  • Contact the service that forwarded the message to find out if they can change the way they forward messages.

See also Best practices for forwarding email to Gmail.

Verify domain provider TXT record character limits

If you get an error when you enter DKIM value, your domain provider might limit the number of characters allowed in the DNS TXT record. 

Recommended steps:

If you’re using a 2048-bit DKIM key, you can’t enter it as a single text string in a DNS record with a 255-character limit. Instead, take these steps:

  1. Split the key characters into multiple text strings.
  2. Put each string inside quotes.
  3. Enter the strings one after another in the TXT record Value field at your domain provider.

In this example, a long DKIM key is split into two text strings, and each string is inside quotes:

"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAraC3pqvqTkAfXhUn7Kn3JUNMwDkZ65ftwXH58anno/bElnTDAd/idk8kWpslrQIMsvVKAe+mvmBEnpXzJL+0LgTNVTQctUujyilWvcONRd/z37I34y6WUIbFn4ytkzkdoVmeTt32f5LxegfYP4P/"

"w7QGN1mOcnE2Qd5SKIZv3Ia1p9d6uCaVGI8brE/7zM5c/zMthVPE2WZKA28+QomQDH7ludLGhXGxpc7kZZCoB5lQiP0o07Ful33fcED73BS9Bt1SNhnrs5v7oq1pIab0LEtHsFHAZmGJDjybPA7OWWaV3L814r/JfU2NK1eNu9xYJwA8YW7WosL45CSkyp4QeQIDAQAB"

You can also try:

  • Using a 1024-bit key by selecting that option when you Generate a DKIM key pair.
  • Contacting your domain host to find out whether TXT records with more than 255 characters can be supported. If they are, you can update your DNS record with a 2048-bit DKIM key by following the steps in Generate a DKIM key pair.

We recommend adding no more than 49 TXT records at your domain provider because this is the maximum number supported by most domain providers. 

Check the number of DKIM signatures

Messages can be signed with more than one DKIM signature. However, Gmail checks only the first 5 signatures listed in the Authentication-Results: message header. Gmail checks the signatures in the order they appear in the header. If the authenticating signature isn't one of the first 5 signatures listed the header, the message fails DKIM authentication. This might also cause the message to fail DMARC.

To verify the signatures that Gmail checks for any message, check the Authentication-Results: header in the message. For detailed steps to check Gmail message headers, visit Trace an email with its full header.

Review your email sending practices

If DKIM is set up correctly but messages are sent to spam, the cause might be something other than DKIM. 

Recommended step:

Contact admins for servers rejecting DKIM-signed messages

If DKIM is set up correctly, receiving servers may still reject messages sent from your domain, or send messages to recipients’ spam folder.

Recommended steps:

  • Contact the administrator for the rejecting email server.
  • Set up DMARC so you get reports about DKIM authentication results. Go to Set up DMARC.
  • If you're setting up DKIM with an email system other than Google Workspace, do not use the DKIM length tag (l=) in outgoing messages. Messages using this tag are vulnerable to abuse. Learn more in Section 8.2 of RFC 6376.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
16483824045784173582
true
Search Help Center
true
true
true
true
true
73010
false
false