Suped

Why does G-Suite Check MX toolbox say DKIM is not set up when email headers show DKIM and SPF pass?

12 Marketer opinions4 Expert opinions3 Technical articles3 Resources

Summary

The G-Suite Check MX toolbox might incorrectly indicate that DKIM is not set up, despite email headers showing DKIM and SPF as passing, due to a combination of factors. These include: potential issues with MXToolbox itself (caching, glitches, using the wrong test), DNS-related problems (propagation delays, incorrect domain being tested, querying from the wrong location, DNS syntax errors), DKIM configuration issues (missing or incorrect DKIM selector, using multiple DKIM keys with ESPs, focusing on branded keys only), SPF record problems (missing SPF records, or needing Google-specific SPF records when sending via Google), and the inherent differences in how various DNS checkers operate. Manual verification of DKIM records and careful attention to DNS setup are crucial for accurate assessment.

Key findings

  • MXToolbox Issues: MXToolbox might be caching old data, experiencing glitches, or using an incorrect test, leading to false negatives.
  • DNS Propagation: DNS changes take time to propagate; the MXToolbox might be checking before propagation is complete.
  • Domain Mismatch: Ensure the domain being tested in MXToolbox exactly matches the sending domain.
  • Multiple DKIM Keys: ESPs might use their own DKIM key in addition to a branded key. MXToolbox might only be checking for one.
  • SPF Configuration: If sending from Google Workspace, specific SPF records are required. Missing SPF records can also be a factor.
  • Incorrect DKIM Selector: Using an incorrect DKIM selector in the DNS record will cause validation failures.
  • DNS Query Location: The DNS record must be queried from the correct location to obtain accurate results.
  • Checking differences: Different checkers use different underlying code and query from different locations, which can sometimes lead to inconsistencies in the results they display

Key considerations

  • Manual Verification: Use command-line tools (dig, nslookup) to manually verify DKIM configuration and bypass potential tool limitations.
  • DKIM Signature Inspection: Inspect the 'd=' and 's=' tags in the DKIM signature of email headers to ensure consistency with DNS records.
  • Google Workspace Guide: If using Google Workspace, follow the official setup guide meticulously, including key generation, TXT record addition, and DKIM enabling.
  • DNS Syntax: Carefully check DNS records for syntax errors (extra spaces, missing quotes). Utilize a DNS record checker.
  • SPF record review: Review SPF records, if sending from a Google domain or using G-Suite.
  • Domain Name Verification: Pay attention to the differences in the domain name of the DKIM = PASS, as it may be the same with SPF

What email marketers say
12Marketer opinions

The G-Suite Check MX toolbox might report that DKIM is not set up even when email headers show DKIM and SPF as passing due to several reasons. These include DNS caching issues with MXToolbox, DNS propagation delays, testing the wrong domain, multiple DKIM keys being used (one by the domain and another by the ESP), the need for specific G-Suite DNS configurations (SPF, DKIM, DMARC), incorrect DKIM selector names, querying DNS records from the wrong location, issues with DNS syntax, and differences in the underlying code used by different DNS record checkers.

Key opinions

  • DNS Caching: MXToolbox might be caching old DNS records, leading to inaccurate results. Clear your browser cache or use a different browser.
  • DNS Propagation: DNS changes can take up to 48 hours to propagate. The MXToolbox might be checking before the changes are fully visible.
  • Domain Verification: Ensure you are testing the correct domain in MXToolbox, matching the domain used to send emails. Typos can lead to incorrect results.
  • Multiple DKIM Keys: The email might be signed with multiple DKIM keys, one from your domain and one from your ESP. MXToolbox may only check for your domain's key.
  • G-Suite Configuration: G-Suite requires specific DNS configurations (SPF, DKIM, DMARC). Follow Google's official setup guides.
  • Incorrect DKIM Selector: An incorrect DKIM selector name in the DNS records can cause validation failures.
  • Query Location: Ensure the DNS record is being queried from the correct location to avoid discrepancies.
  • SPF Records: Missing SPF records on your sending domain may be an issue, even if not using it as a returnpath. It is advised to add SPF records.

Key considerations

  • DNS Syntax: Ensure there are no syntax errors (extra spaces, missing quotes) in the DNS records. Use a DNS record checker.
  • Multiple Checkers: Different checkers use different code and query from different locations, leading to inconsistent results. Use multiple tools for verification.
  • Record Updates: When setting up SPF and DKIM, double check your values you have copied in the tool match the ones in your DNS records.
  • Domain Name: Pay attention to the differences in the domain name of the DKIM = PASS, as it may be the same with SPF
Marketer view

Email marketer from StackExchange explains that MXToolbox sometimes caches old DNS records, leading to inaccurate results. Try clearing your browser cache or using a different browser to see if the issue persists.

June 2023 - StackExchange
Marketer view

Email marketer from Reddit suggests that DNS propagation delays could be the reason. It can take up to 48 hours for DNS changes to fully propagate across the internet, so the MXToolbox might be checking before the changes are fully visible.

July 2023 - Reddit
Marketer view

Email marketer from DNSimple Blog shares that G-Suite requires specific DNS configurations, including SPF, DKIM, and DMARC. It’s important to follow Google’s official setup guides to ensure that all the necessary records are correctly configured.

November 2024 - DNSimple Blog
Marketer view

Email marketer from Email Provider Forum suggests that the email might be signed with multiple DKIM keys, one from your domain and one from your email service provider (ESP). MXToolbox might only be checking for your domain's key.

December 2022 - Email Provider Forum
Marketer view

Email marketer from Sparkpost states that an incorrect DKIM selector might be used in DNS records. The selector is a name for the DKIM record, so make sure you’re using the same selector that you specified when you set up DKIM.

October 2021 - Sparkpost
Marketer view

Email marketer from StackOverflow mentions to ensure that the DNS record is being queried from the correct location to avoid discrepancies between the record's actual existence and results shown on a toolbox.

April 2022 - StackOverflow
Marketer view

Email marketer from Mailhardener Blog explains that incorrect DKIM selector name used in DNS records can cause the records to fail validation on external validation sites.

October 2024 - Mailhardener Blog
Marketer view

Email marketer from EmailonAcid explains DNS Syntax errors can cause issues, so ensure there are no syntax errors such as extra spaces, missing quotes, and so on. It would also be ideal to use a DNS record checker to see if it helps find issues.

April 2024 - EmailonAcid
Marketer view

Email marketer from Google Groups mentions to check if the domain being tested in MXToolbox is the exact same domain that's being used to send the emails. A slight typo can lead to incorrect results.

August 2021 - Google Groups
Marketer view

Email marketer from Email Geeks suggests paying attention to the differences in the domain name of the DKIM = PASS, as it may be the same with SPF.

October 2023 - Email Geeks
Marketer view

Email marketer from Mailjet mentions to check whether the DNS records are properly entered. When setting up SPF and DKIM, you’ll need to update your domain’s DNS records. Make sure that the values you have copied in the tool match the ones in your DNS records.

January 2025 - Mailjet
Marketer view

Email marketer from Email Geeks explains that you are missing SPF records on your sending domain. Not that it is needed if you do not use it as "returnpath" address but, it is still advised.

February 2022 - Email Geeks

What the experts say
4Expert opinions

The G-Suite Check MX toolbox might incorrectly report DKIM as not set up despite passing email headers for several reasons. Some ESPs sign with both their own and the brand's DKIM keys, and the branded key may be missing. The MX Toolbox itself may be faulty, running the wrong test, or experiencing a temporary glitch. If sending from Google's domain, specific SPF records must be added. Different checkers use different code and query locations, leading to inconsistencies.

Key opinions

  • Branded DKIM Key: ESPs may use their own DKIM key in addition to a branded key. Ensure the branded key exists and is properly configured.
  • Toolbox Errors: The MX Toolbox may be incorrect due to a glitch, improper test selection, or outdated data.
  • SPF Records for Google: If sending from a Google domain, specific SPF records must be added for proper authentication.
  • Inconsistent Checkers: Different DNS checkers can produce different results due to varying code, query locations, and update statuses.

Key considerations

  • Manual Lookup: Verify DKIM setup manually to confirm tool accuracy. Tools might be faulty.
  • SPF Record Review: Verify the SPF record if sending from a Google domain or using G-suite.
  • ESP Configuration: Review configuration with your ESP regarding DKIM keys and ensure the right key is used.
Expert view

Expert from Word to the Wise explains that different checkers use different underlying code and query from different locations, which can sometimes lead to inconsistencies in the results they display. It's possible the MX Toolbox is experiencing a temporary glitch or is querying a DNS server that hasn't yet updated.

November 2022 - Word to the Wise
Expert view

Expert from Email Geeks explains if you plan on sending from Google with that domain, you need to add them to your SPF record. The current record is `<http://comms.uwe.ac.uk|comms.uwe.ac.uk>. 3600 IN TXT "v=spf1 include:<http://spf.dotmailer.com|spf.dotmailer.com> -all"`

August 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that some ESPs sign with a key belonging to them and one belonging to your brand. It's possible the branded key doesn't exist.

April 2021 - Email Geeks
Expert view

Expert from Email Geeks believes the MX Toolbox might be wrong or the wrong test was selected, as the key appears functional and a manual lookup confirms it's fine.

March 2024 - Email Geeks

What the documentation says
3Technical articles

If G-Suite Check MX toolbox shows DKIM is not set up, despite email headers passing DKIM and SPF, it is advisable to manually verify the DKIM setup. This can be achieved by using command-line tools like `dig` or `nslookup` to query DNS records directly, or by manually inspecting the DKIM signature in the email header, particularly the 'd=' and 's=' tags. Following Google Workspace's official DKIM setup guide is also crucial to ensure proper configuration, including key generation, TXT record addition, and enabling DKIM signing.

Key findings

  • Manual DNS Query: Command-line tools can bypass issues with online testing tools by directly querying DNS records.
  • DKIM Signature Inspection: Manually inspect the 'd=' and 's=' tags in the DKIM signature to verify they match the DNS record.
  • Google Workspace Guide: Following Google's official setup guide ensures proper DKIM configuration within Google Workspace.

Key considerations

  • DNS Record Accuracy: Confirm that the values obtained from DNS queries match the DKIM signature details.
  • Key Management: Ensure the DKIM key is properly generated and enabled within Google Workspace settings.
  • TXT Record Propagation: Verify the TXT record for DKIM has fully propagated across DNS servers.
Technical article

Documentation from RFC6376 explains the precise format of a DKIM signature in the email header. You can manually inspect the 'd=' (domain) and 's=' (selector) tags to ensure they match your DKIM record.

November 2023 - RFC Editor
Technical article

Documentation from DKIM.org explains that you can use command-line tools like `dig` or `nslookup` to manually query the DNS records and verify the DKIM configuration. This can bypass any potential issues with online testing tools.

November 2021 - DKIM.org
Technical article

Documentation from Google Workspace Admin Help explains the complete DKIM setup process for Google Workspace, which includes generating a DKIM key, adding the TXT record to your domain's DNS, and enabling DKIM signing in the Google Workspace admin console.

May 2021 - Google

Related resources
3Resources

Phishing email passing SPF and DMARC : r/gsuite
Phishing email passing SPF and DMARC : r/gsuite

Posted by u/TheManWithSaltHair - 6 votes and 16 comments

Reddit
O365 Emails going to Gmail Spam - Collaboration - Spiceworks ...
O365 Emails going to Gmail Spam - Collaboration - Spiceworks ...

Hi, I have pretty much given up on this issue, so I created an account on Spiceworks to give it one last shot. The issue I am having is that all my organization’s emails (a total of 2 users) that are sent to Google Workspace/Gmail are being marked as spam regardless of recipient or content. We just figured this out a few days ago and I don’t know what to do. I have tried everything, from confirming DKIM, DMARC and SPF are all set up correctly, removing any unnecessary HTML from email messages...

Spiceworks Community
E-Mail from WHMCS ends up in Junk/Spam Folder of outlook.com ...
E-Mail from WHMCS ends up in Junk/Spam Folder of outlook.com ...

Hi. I am using WHMCS in SMTP-sending mode. The e-mails to our customers are always ending up in the spam folders of major providers. What is interesting: If I send an email using an Outlook-client through our mailserver it gets delivered correctly as ham to outlook.com/hotmail. I started investig...

WHMCS.Community

Related questions