Troubleshoot DKIM issues

Protect against spoofing & phishing, and help prevent messages from being marked as spam

Follow the troubleshooting steps in this article if messages sent from your domain are:

  • Not passing DKIM authentication
  • Rejected by receiving servers
  • Sent to recipients’ spam folders

Many DKIM issues can be identified and resolved by following the steps in this article.

Verify DKIM is set up correctly

Verify DKIM is set up correctly by following the steps in Turn on DKIM for your domain:

Verify messages pass DKIM authentication

Email message headers have the results of DKIM authentication check. Check whether messages sent from your domain pass DKIM authentication.

Recommended steps:

  • If messages don't pass DKIM authentication, try sending to another recipient, for example a personal Gmail address. This can help you rule out issues with the receiving server.
  • Check the headers in a message sent from your domain to verify it passed DKIM.
  • In Gmail, click Show original for a message, then check the DKIM status in the original message. Learn more about checking message headers in Gmail.
  • Enter message headers into Google Admin Toolbox Messageheader tool and check the DKIM status.

Verify your DKIM key is correct at your domain provider

Most TXT records can have up to 255 characters. You can’t enter a 2048-bit key DKIM keys as a single text string with a 255-character TXT record limit. Your DKIM key might be truncated, or your DKIM records might be sent out of order.

Recommended steps:

  • If you’re not able to enter your entire DKIM value as a single text string, follow the steps DKIM keys and TXT record limits.
  • Compare the DKIM record value at your provider with the value in your Admin console, and verify your DKIM key is correct:
    1. Get the TXT record value from Admin console, for example google._domainkey.
    2. Go to the Google Admin Toolbox Dig tool.
    3. Click TXT
    4. Enter the TXT record value from Step 1, then add a period (.) and your domain name to this value.
      For example, if your domain is and the TXT record value is google._domainkey, enter:
    5. Compare the results to the value in your Admin Console. If all key characters are included and in the correct order, the DKIM key can be in 2 parts.

Check message forwarding

Even when DKIM is correctly set up for your domain, forwarded messages can fail DKIM. This can be a result of how a mail server forwards messages.

Recommended step for email senders:

  • Make sure the message wasn’t changed during transit. Find the Authentication-results: header. If the text next to the dkim entry is body hash did not verify, the message was modified during transit.
  • If you use an outbound gateway, make sure it doesn't modify outgoing messages before they're sent. For example, some outbound gateways add a footer to the bottom of every outgoing message. This can cause DKIM to fail because message contents are changed after the message was sent.

Recommended steps for email recipients:

  • Use Email Log Search to verify the message was forwarded. If the person who reported the message as spam isn’t the original recipient, it’s likely the message was forwarded.
  • Contact the service that forwarded the message to find out if they can change the way they forward messages.

Contact admins for servers rejecting DKIM-signed messages

If DKIM is set up correctly, receiving servers may still reject messages sent from your domain, or send messages to recipients’ spam folder.

Recommended steps:

  • Contact the administrator for the rejecting email server.
  • Set up DMARC so you get reports about DKIM authentication results. Go to Help prevent spoofing and spam with DMARC.
  • If you're setting up DKIM with an email system other than Google Workspace, do not use the DKIM length tag (l=) in outgoing messages. Messages using this tag are vulnerable to abuse. Learn more in Section 8.2 of RFC 6376.

Verify your domain providers TXT record character limits

If you get an error when you enter DKIM value, your domain provider might limit the number of characters allowed in the DNS TXT record. 

Recommended step:

Review your email sending practices

If DKIM is set up correctly but messages are sent to spam, the cause might be something other than DKIM. 

Recommended step:

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu