Troubleshoot DKIM issues

Follow the steps in this article if you set up DomainKeys Identified Mail (DKIM), but messages sent from your domain are still:

  • Not passing DKIM authentication
  • Rejected by receiving servers
  • Sent to recipients' spam folders

On this page

Most common solutions

Make sure you have a DKIM record

See if you have a DKIM record:

  • If you are not using Google Workspace, use a tool available from the internet.
  • If you are using Google Workspace, follow the steps in this section.

  1. In the Google Admin console, go to Menu and then Apps and then Google Workspace and then Gmail.

    Requires having the Gmail Settings administrator privilege.

  2. Click Authenticate email.
  3. In the Selected domain menu, select the domain where you want to set up DKIM.
  4. If the DNS hostname and TXT record values are blank, you do not have a DKIM record.

To create a new DKIM record, go to Generate a DKIM key pair. Then, go to Add the DKIM record to your domain (on this page).

Add the DKIM record to your domain

After you create a DKIM record, you must add the record (which contains the DKIM key) to your domain.

  1. Sign into your domain host.
  2. Go to the page where you update DNS TXT records for your domain.
  3. Add or update the TXT record with your DKIM hostname and recommended value.

Go to Add the DKIM key to your domain.

Fix authentication errors

If you get a "Not authenticating" error after you create a DKIM record and add it to your domain, you need to complete your setup.

Recommended step: Go to the Authenticate email page and click Start authentication. See Turn on & verify DKIM.

Verify your DKIM record values

Make sure your DKIM record contains the correct hostname/TXT record name and TXT record value/DKIM key. See Add the DKIM key to your domain.

What does success look like?

Once you create a DKIM record, add the DKIM record to your domain, fix any authentication errors, and verify that your DKIM record has the correct values, your DKIM status should appear as "Authenticating email with DKIM." Your setup is complete.

Advanced troubleshooting

Check that messages pass DKIM authentication

You can see if an email passed DKIM authentication in Gmail.

Recommended steps:

  1. From a browser, open Gmail.
  2. Open the email you want to check the headers for.
  3. Next to Reply , click More and then Show original.
    • In a new window, the full header shows.
  4. Click Copy to clipboard.

Additional steps:

Verify the DKIM key at your domain provider

Most DKIM TXT records can have up to 255 characters. You can not enter a 2048-bit key as a single text string with a 255-character TXT record limit. Your DKIM key might be truncated, or your DKIM records might be sent out of order.

Recommended steps:

  • If you're not able to enter your entire DKIM TXT record value as a single text string, follow the steps in Verify TXT record character limits.
  • Compare the DKIM TXT record value at your provider with the value in your Admin console, and verify your DKIM key is correct:
    1. Get the DKIM TXT record value from the Admin console, for example google._domainkey.
    2. Go to the Google Admin Toolbox Dig tool.
    3. Click TXT.
    4. Enter the DKIM TXT record value from Step 1, then add a period (.) and your domain name to this value.
    5. Compare the results to the value in your Admin console. If all key characters are included and in the correct order, the DKIM key can be in 2 parts.

Check message forwarding

Even when DKIM is correctly set up for your domain, forwarded messages can fail DKIM. This can be a result of how a mail server forwards messages.

Recommended step for email senders:

  • Make sure the message wasn't changed during transit. Find the Authentication-results: header. If the text next to the dkim entry is body hash did not verify, the message was modified during transit.
  • If you use an outbound gateway, make sure it doesn't modify outgoing messages before they're sent. For example, some outbound gateways add a footer to the bottom of every outgoing message. This can cause DKIM to fail because message contents are changed after the message was sent.

Recommended steps for email recipients:

  • Use Email Log Search to verify the message was forwarded. If the person who reported the message as spam isn't the original recipient, it's likely the message was forwarded.
  • Contact the service that forwarded the message to find out if they can change the way they forward messages.

See also Best practices for forwarding email to Gmail.

Verify TXT record character limits

If you get an error when you enter a DKIM value, your domain provider might limit the number of characters allowed in the DNS TXT record.

Recommended steps:

If you're using a 2048-bit DKIM key, you can't enter it as a single text string in a DNS record with a 255-character limit. Instead, take these steps:

  1. Split the key characters into multiple text strings.
  2. Put each string inside quotes.
  3. Enter the strings one after another in the TXT record Value field at your domain provider.

In this example, a long DKIM key is split into two text strings, and each string is inside quotes:

"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAraC3pqvqTkAfXhUn7Kn3JUNMwDkZ65ftwXH58anno/bElnTDAd/idk8kWpslrQIMsvVKAe+mvmBEnpXzJL+0LgTNVTQctUujyilWvcONRd/z37I34y6WUIbFn4ytkzkdoVmeTt32f5LxegfYP4P/"

"w7QGN1mOcnE2Qd5SKIZv3Ia1p9d6uCaVGI8brE/7zM5c/zMthVPE2WZKA28+QomQDH7ludLGhXGxpc7kZZCoB5lQiP0o07Ful33fcED73BS9Bt1SNhnrs5v7oq1pIab0LEtHsFHAZmGJDjybPA7OWWaV3L814r/JfU2NK1eNu9xYJwA8YW7WosL45CSkyp4QeQIDAQAB"

You can also try:

  • Using a 1024-bit key by selecting that option when you Generate a DKIM key pair.
  • Contacting your domain host to find out whether TXT records with more than 255 characters can be supported. If they are, you can update your DNS record with a 2048-bit DKIM key by following the steps in Generate a DKIM key pair.

We recommend adding no more than 49 TXT records at your domain provider because this is the maximum number supported by most domain providers.

Check the number of DKIM signatures

Messages can be signed with more than one DKIM signature. However, Gmail checks only the first 5 signatures listed in the Authentication-Results: message header. Gmail checks the signatures in the order they appear in the header. If the authenticating signature isn't one of the first 5 signatures listed the header, the message fails DKIM authentication. This might also cause the message to fail DMARC.

To verify the signatures that Gmail checks for any message, check the Authentication-Results: header in the message. For detailed steps to check Gmail message headers, visit Trace an email with its full header.

Review your email sending practices

If DKIM is set up correctly but messages are sent to spam, the cause might be something other than DKIM.

Recommended step:

Contact admins for servers rejecting DKIM-signed messages

If DKIM is set up correctly, receiving servers may still reject messages sent from your domain, or send messages to recipients' spam folder.

Recommended steps:

  • Contact the administrator for the rejecting email server.
  • Set up DMARC so you get reports about DKIM authentication results. Go to Set up DMARC.
  • If you're setting up DKIM with an email system other than Google Workspace, do not use the DKIM length tag (l=) in outgoing messages. Messages using this tag are vulnerable to abuse. Learn more in Section 8.2 of RFC 6376


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.