Why does Gmail show DKIM failing when it actually passes?

Email marketer from AuthSMTP explains Ensure that SPF (Sender Policy Framework) is also correctly configured. Problems with SPF can sometimes lead to DKIM being scrutinized more closely by Gmail. A comprehensive authentication setup including both SPF and DKIM is crucial.

Email marketer from DigitalOcean shares that a passing DKIM is not enough. Even with valid DKIM, if the sending IP address or domain has a poor reputation, Gmail might still flag the email. Maintaining a good sender reputation is essential for deliverability.

Email marketer from Reddit user shares that problems might arise when email forwarders change the message. Forwarding can modify the message headers or body, breaking the DKIM signature. The user suggests checking if the issue occurs specifically with forwarded emails.

Email marketer from MXToolbox states that even if DKIM passes, DMARC can still fail if DKIM alignment isn't met. They suggest ensuring that the DKIM signing domain aligns with the From domain for DMARC to pass, which can influence how Gmail treats the email.

Email marketer from Email Geeks suggests a gmail / google blip as DKIM is now passing as it previously did before inexplicably starting to fail.

Email marketer from Superuser shares If the DKIM record is set up on a subdomain (e.g., `s1.example.com`), but the email is sent from the main domain (`example.com`), this might cause alignment issues. Ensures that the DKIM signing domain matches the sending domain.

Email marketer from StackExchange discusses that there could be intermediate servers modifying the message content after the DKIM signature is applied. Even if the initial DKIM check passes, changes to the message body can invalidate the signature, leading to a DKIM failure at the receiving end.

Email marketer from EmailOnAcid explains that temporary DNS resolution issues can cause DKIM to fail intermittently. If Gmail can't properly resolve the DKIM signing domain's DNS records at the time of verification, it may incorrectly report a DKIM failure.

Email marketer from EasyDMARC explains that If your DMARC policy is set to `p=quarantine` or `p=reject`, and DKIM fails alignment, Gmail might quarantine or reject the email, causing it to appear as a DKIM failure. Review the DMARC policy to ensure it aligns with the DKIM setup.

Email marketer from Email Geeks confirms that this issue is fixed on some Gmail addresses, but not yet on all. It is thought that Gmail is rolling out a fix to this but doing so gradually.

Email marketer from EmailVendorSelection mentions a common scenario where DKIM passes authentication but Gmail still displays a 'DKIM: FAIL' message in the header due to alignment issues. Even if the DKIM signature is valid, if the domain used to sign the email (DKIM domain) doesn't match the domain in the 'From' address, Gmail may show a failure, even though the DKIM check itself passed.

Expert from Email Geeks explains that while Gmail is technically correct that it's not aligned in a strict sense, the new code appears buggy and is reporting incorrectly.

Expert from Spamresource.com explains that even if DKIM passes initially, some intermediate servers could be rewriting parts of the email (including headers) thus invalidating DKIM. For example, adding a disclaimer or footer after DKIM signing can invalidate the signature. They advise checking if there are any servers rewriting the email after it’s signed.

Expert from Email Geeks explains that Gmail is reporting DKIM failures even when DKIM actually passes, specifically when the DKIM domain doesn't align with the 5322.from domain. This reporting is arguably wrong, as the DKIM signature is verified and passing.

Expert from Email Geeks indicates that the issue is likely a bug in the formatted version headers that Google shows users, and that Google seems to be correctly identifying the mail as aligned and passing during the SMTP session.

Expert from Email Geeks mentions there seems to be a bug in Gmail's summary table regarding alignment checks, sometimes incorrectly claiming things aren't aligned when they are, and it looks like it’s not doing proper PSL based alignment checks, rather it’s checking suffixes (and getting it wrong).

Expert from Email Geeks states that Gmail's summary table is unreliable and asks if there are any actual delivery issues. He confirms the table shows DKIM misalignment when it's actually aligned.

Documentation from Google Workspace Admin Help explains that the Authentication-Results header shows the results of SPF, DKIM, and DMARC checks. A 'pass' result for DKIM means the message was signed by a legitimate sender and the signature was verified.

Documentation from dmarcian explains that DKIM alignment refers to how well the domain used to sign the email matches the domain in the 'From' address. DMARC requires either SPF or DKIM to align with the From domain for the message to pass DMARC authentication. If DKIM passes but doesn't align, DMARC might still fail.

Documentation from Microsoft mentions Some email systems, including Gmail, apply additional checks and filters beyond DKIM verification. These systems may flag an email even if DKIM passes due to other factors like content, sender reputation, or user feedback.

Documentation from RFC 6376, which defines DKIM, specifies that a DKIM signature covers certain parts of the message, including headers and body. If any of these covered parts are altered in transit, the DKIM signature will fail to verify, even if it initially passed.