Suped

Why is DKIM failing when sending from Salesforce via Gmail?

8 Marketer opinions4 Expert opinions5 Technical articles3 Resources

Summary

DKIM failures when sending emails from Salesforce through Gmail are a multifaceted issue stemming from content modification by Gmail's SMTP relay, character encoding discrepancies between Salesforce and Gmail, incorrect DNS settings, DKIM alignment problems, forwarding issues, and misconfigured Gmail/Salesforce setups. Resolutions involve ensuring content integrity during transmission, proper DKIM configuration across platforms, consistent character encoding practices, DNS record verification, header analysis, testing with plain text emails, and potentially disabling Salesforce's DKIM signing.

Key findings

  • Content Modification: Gmail's SMTP relay and other services modify email content after Salesforce signs it, invalidating the DKIM signature due to a body hash mismatch.
  • Encoding Discrepancies: Different character encodings between Salesforce and Gmail can alter the email body, leading to DKIM failures.
  • Configuration Errors: Incorrectly configured Gmail settings, DNS records, and DKIM setups in both Salesforce and Gmail contribute to DKIM failures.
  • Alignment Issues: DKIM alignment problems, where the domain in the DKIM signature doesn't match the 'From:' header domain, can cause verification failures.
  • Forwarding Breaks DKIM: The act of forwarding an email can result in DKIM signatures failing because content is changed

Key considerations

  • Maintain Content Integrity: Ensure email content remains unchanged during transmission to preserve DKIM validity, potentially by adjusting DKIM configurations.
  • Implement Consistent Encoding: Use consistent character encoding (e.g., UTF-8) between Salesforce and Gmail.
  • Validate DNS Settings: Verify DNS TXT records for DKIM are correctly configured and fully propagated.
  • Perform Header Analysis: Analyze email headers to pinpoint where alterations are occurring.
  • Test Basic Emails: Test with simple, plain ASCII text emails to isolate encoding issues.
  • Review Configurations: Thoroughly review DKIM, Salesforce, and Gmail configurations to ensure correct setups.
  • Assess DKIM Alignment: Confirm that the 'd=' tag in the DKIM signature aligns with the domain used in the 'From:' header.
  • Consider Alternative Signing: Disable Salesforce DKIM signing and let Google Workspace sign instead to see if that fixes the issue.
  • Raise Support Ticket: Raise a support ticket with Salesforce.

What email marketers say
8Marketer opinions

DKIM failures when sending emails from Salesforce through Gmail often arise from several interconnected issues. These include Gmail's SMTP relay modifying email content after Salesforce has applied its DKIM signature, encoding differences between Salesforce and Gmail leading to altered email bodies, misconfigured Gmail settings, incorrect DNS records, and alignment issues between the DKIM signature's domain and the 'From:' header. Analyzing email headers is crucial for identifying where the alteration occurs, and ensuring proper configuration and consistent encoding practices are essential for resolving the problem.

Key opinions

  • Content Modification: Gmail's SMTP relay might modify the email body after Salesforce signs it, invalidating the DKIM signature.
  • Encoding Issues: Character encoding differences between Salesforce and Gmail can alter the email body, causing DKIM failure.
  • Configuration Problems: Incorrectly configured Gmail settings can interfere with DKIM signatures.
  • DNS Settings: Incorrectly configured or unpropagated DNS TXT records for DKIM can cause verification failures.
  • Alignment Problems: DKIM alignment issues, where the domain in the DKIM signature doesn't match the 'From:' header domain, can lead to failures.
  • Forwarding Issues: The act of forwarding or relaying via Gmail breaks the DKIM signature because of modifications

Key considerations

  • Check Configuration: Ensure DKIM keys are correctly configured in both Salesforce and Google Workspace.
  • Consistent Encoding: Use consistent character encoding (e.g., UTF-8) between Salesforce and Gmail.
  • Analyze Headers: Perform a full analysis of email headers to identify where the DKIM signature is being altered.
  • Verify DNS Records: Verify that the DNS TXT record for DKIM is correctly configured and fully propagated.
  • Test Simple Emails: Send simple emails with plain ASCII text to isolate character encoding issues.
  • Evaluate Gmail Settings: Review Gmail SMTP relay settings for potential DKIM-related conflicts.
  • Signature Alignment: Confirm the d= tag in the DKIM signature matches the domain used in the From: header.
Marketer view

Email marketer from EmailOnAcid suggests that Salesforce and Gmail should be properly configured to handle DKIM signatures. If Salesforce is signing the email, Gmail needs to be configured to respect that signature and not alter the email content after it's been signed.

December 2022 - EmailOnAcid
Marketer view

Email marketer from StackExchange explains that forwarding can break DKIM. When an email is forwarded, the content is often modified, causing the DKIM signature to become invalid. When sending from Salesforce via Gmail, Salesforce signs it, but Gmail forwards it on, it breaks the signature.

February 2025 - StackExchange
Marketer view

Email marketer from EmailGeeks discusses that Gmail's SMTP relay can sometimes cause issues with DKIM signatures in Salesforce. The suggested resolution is to ensure that the DKIM keys are correctly configured in both Salesforce and Google Workspace and that no encoding issues are present.

February 2025 - EmailGeeks
Marketer view

Email marketer from MXToolbox highlights that incorrect DNS settings are a frequent cause of DKIM failure. Verifying that the correct TXT record for DKIM is properly configured in the DNS settings for the domain and that it has fully propagated.

September 2022 - MXToolbox
Marketer view

Email marketer from Litmus explains to perform a full analysis of email headers. This can help identify if the DKIM signature is being altered somewhere between Salesforce and the final recipient. This includes checking the Authentication-Results header for clues about the failure.

June 2023 - Litmus
Marketer view

Email marketer from SuperUser forum suggests checking Gmail's configuration. They suggest that there could be a configuration problem with the way Gmail is set up to handle outgoing emails from Salesforce, especially with regard to how it handles the DKIM signature.

April 2023 - SuperUser
Marketer view

Email marketer from Mailhardener explains that DKIM alignment issues can cause failures. Checking if the 'd=' tag in the DKIM signature matches the domain used in the 'From:' header.

December 2023 - Mailhardener
Marketer view

Email marketer from Reddit explains that character encoding problems can lead to DKIM failures. If Salesforce and Gmail use different character encodings, the email body may be altered during transmission, causing the DKIM signature to be invalid.

December 2024 - Reddit

What the experts say
4Expert opinions

Experts attribute DKIM failures when sending from Salesforce via Gmail to Google modifying the email body after Salesforce signs it, causing the DKIM hash to be invalid. Character encoding differences between Salesforce and Gmail can also lead to alterations in the email body, further contributing to DKIM failures. Testing with plain text emails, disabling Salesforce DKIM signing in favor of Google Workspace, and opening a support ticket with Salesforce are potential solutions.

Key opinions

  • Content Modification by Google: Google (Gmail) modifies the email body after Salesforce signs it, invalidating the DKIM signature.
  • Character Encoding Issues: Different character encodings between Salesforce and Gmail lead to alterations in the email body.

Key considerations

  • Test Plain Emails: Send very plain (ASCII) emails to rule out character encoding problems.
  • Disable Salesforce DKIM: Disable Salesforce DKIM signing and let Google Workspace sign the emails instead.
  • Open Salesforce Ticket: Open a support ticket with Salesforce to investigate potential configuration issues.
  • Ensure Transmission Integrity: Make sure email is transmitted in a way that preserves content, or adjust the DKIM config to accomodate gmail handling
  • Consistent Character Encoding: Ensure consistent character encoding (e.g., UTF-8) throughout the sending process.
Expert view

Expert from Email Geeks suggests that the DKIM signature failing is likely due to Google modifying the body after Salesforce signs it. The expert suggests sending a very plain email as a test and opening a ticket with Salesforce.

June 2021 - Email Geeks
Expert view

Expert from Spam Resource explains that when sending from Salesforce via Gmail, a DKIM failure often stems from Gmail modifying the email's content after Salesforce has signed it. This alteration, even if minor, invalidates the DKIM signature because the cryptographic hash no longer matches the email body. Potential solutions are ensuring the message is transmitted in a way that preserves the integrity of the content or adjusting the DKIM configuration to accommodate Gmail's handling.

July 2023 - Spam Resource
Expert view

Expert from Email Geeks recommends disabling Salesforce DKIM signing and letting Google Workspace sign instead. The expert also suggests testing with generic content to rule out encoding problems as a cause of the DKIM failure.

December 2022 - Email Geeks
Expert view

Expert from Word to the Wise shares that character encoding can play a significant role in DKIM failures. If Salesforce is using one encoding and Gmail another, special characters may be misinterpreted, leading to slight alterations in the email body. A best practice to resolve this is to ensure that consistent character encoding (e.g., UTF-8) is used throughout the entire sending process, and also to conduct testing with very simple emails consisting of plain ASCII text to determine if the issue lies specifically with character encoding differences.

July 2023 - Word to the Wise

What the documentation says
5Technical articles

Documentation sources consistently indicate that DKIM failures when sending from Salesforce via Gmail are primarily due to modifications of the email content after the DKIM signature is applied. This alteration, which can occur through Gmail's SMTP relay service or other intermediaries, invalidates the signature as the body hash no longer matches. Additionally, incorrect DNS records and improper DKIM setup are identified as potential contributing factors.

Key findings

  • Content Modification: Gmail's SMTP relay or other services can modify the email body after DKIM signing, leading to verification failure.
  • Body Hash Mismatch: A common error is the body hash not verifying, indicating that the message body has changed since the signature was generated.
  • Incorrect DNS Records: Improperly configured or unpropagated DNS records for DKIM can cause the signature verification to fail.
  • Improper DKIM Setup: Incorrect setup and maintenance of DKIM records causes DKIM to fail to authenticate.

Key considerations

  • Preserve Content Integrity: Ensure the email content remains unchanged during transmission to maintain DKIM validity.
  • Verify DNS Configuration: Check that DNS records for DKIM are correctly configured and fully propagated.
  • Review DKIM Setup: Carefully review the entire DKIM setup, including key generation, signing procedures, and verification processes.
  • Monitor SMTP Relay: Monitor the SMTP relay service (e.g. Gmail SMTP relay) to verify whether it's modifying the email
Technical article

Documentation from DKIM.org mentions that common DKIM errors are often due to issues with the body hash not verifying. This indicates that the message body has changed since the signature was generated.

July 2023 - DKIM.org
Technical article

Documentation from Salesforce Help explains that a common cause of DKIM failure is modification of the email content after it has been signed. This can occur if Gmail alters the message body during transmission, causing the DKIM hash to no longer match the content.

January 2025 - Salesforce Help
Technical article

Documentation from Google Developers highlights that the Gmail SMTP relay service can sometimes modify email headers and body. The Google SMTP service could be altering the message in such a way that it invalidates the DKIM signature generated by Salesforce.

May 2023 - Google Developers
Technical article

Documentation from Google Workspace Admin Guide emphasizes the importance of proper DKIM setup. A potential reason for DKIM failure is incorrect DNS records for DKIM. Ensuring the DNS records are correctly published and propagated is crucial.

January 2022 - Google
Technical article

Documentation from RFC Editor, specifies that DKIM relies on the email content remaining unchanged between signing and verification. Any modifications to the body or headers will cause DKIM verification to fail.

December 2022 - RFC Editor

Related resources
3Resources

Emails are not sent from | Salesforce Trailblazer Community
Emails are not sent from | Salesforce Trailblazer Community

Trailhead, the fun way to learn Salesforce

Trailhead
SPF and DKIM fail only in aggregate reports - Cloud Computing ...
SPF and DKIM fail only in aggregate reports - Cloud Computing ...

I am trying to figure out why a client gets occasional failures in their DMARC aggregate reports. They use M365 for email. Here is a report from dmarc_reports@reports.emailsrvr.com (Rackspace Email Hosting), with my client’s domain changed and everything else left alone. The IPs are Microsoft’s. I am assuming that the judicatewest.com is the intended recipient of their email. Or is that some domain spoofing my client? These failures are only in the aggregate reports. EDIT: I have gotten some ...

Spiceworks Community
Salesforce Email Deliverability Tips: BCC Email, SPF, DKIM, DMARC
Salesforce Email Deliverability Tips: BCC Email, SPF, DKIM, DMARC

Salesforce Email Deliverability: Ensure your emails reach the inbox by mastering Compliance BCC, SPF, DKIM, DMARC, and Email Relay settings.

Salesforce Ben

Related questions