DKIM Configured in DNS but DKIM won't authenticate

[Mike Totman]

We're trying to set up DKIM authentication on our Google Apps/G Suite for Business domain to reduce the number of our emails which are ending up in people's spam folders. We have generated the DKIM key and set it up in Google Cloud DNS and have confirmed that it's set up using 3 different DKIM tools. All of them say it is valid, and yet when we try to Start Authenticating, it says "Email authentication was not varified. ..." We waited the suggested 48h (despite the DNS records being visible and correct 24h ago) and it still won't authenticate.

Any idea what else could be going wrong?

The domain is safedoorpm.com if you want to check the DNS yourself.

[Alex Dupuy]

Hi Mike,

You wrote:

The domain is safedoorpm.com if you want to check the DNS yourself.

Knowing the domain allows people to check the SPF record:

$ dig +short TXT safedoorpm.com | grep spf

"v=spf1 a:safedoorpm.com include:_spf.google.com include:servers.mcsv.net ~all"

But in order to check your DKIM configuration, we need to know the selector(s) your e-mail server(s) are using. The E-mail check at Internet.nl says that there are DKIM records, but it probably just queried _domainkey.safedoorpm.com and checked for NOERROR rather than NXDOMAIN, as an indication that at least one DKIM record exists, and didn't actually validate the DKIM.

After writing that, I see that the DKIM (mxtoolbox) link in your message helpfully encodes the selector (in this case, "google" for G Suite).

There is a perhaps relevant note at https://support.google.com/a/answer/180504:

To maintain the safety and security of the email service, we use DKIM signing for all emails. We now sign all email traffic not signed with DKIM originating from Google Cloud domains with d=*.gappssmtp.com. This should not cause any email delivery issues. In the rare event that your email is rejected, contact the receiving server administrator. In particular, you should suggest that receivers not reject emails based on a missing or unverifiable DKIM signature. See RFC 4871. To prevent any issues, we encourage you to add your own DKIM signature to your emails.

I'm not sure why G Suite cannot validate this record, but the most likely reason would seem to be that the private key you are providing doesn't correspond to the public key you published in the DNS record.

http://stackoverflow.com/a/29707204/18829 suggests another possibility, the key you have published is a X.509 SubjectPublicKeyInfo/OpenSSL PEM public key (which has two "MIIB" strings starting at offsets 0 and 32). However, another format is PEM DER ASN.1 PKCS#1 RSA Public key (which omits the 32 byte (in Base64 encoding, 24 bytes in binary) header. Looking at my personal FastMail DKIM record, it seems like it doesn't have the extra prefix (it is a 1024-bit rather than 2048-bit key, so I could be wrong).  Anyhow, it can't hurt to try stripping that prefix, giving you the following TXT record:

"v=DKIM1; k=rsa; p=MIIBCgKCAQEAmOIu5UVDhUs+HHnzgO0WYRfzmo7tWtx91BG1hXu5LkIk5hcup839sc1O2ASpK/" "nEkYZsbBh5s6Mt6kI+APjjuPCv9NfCCBAsXRNO60CdBDfuYnUnGfQi5izTM8qSjWA10HBwXJa/YUwx1Z7dfzqym6yY1j8mOKup7BIqyiDXqgdZT24B4cdprr21a0hqYr1eo9/H8uNWYEr2k73pT57" "/b+NiI6XUs1CrwaSpcMrj+wdzuBdXmOHvzhCcoIHofMq+IeM4/nzBKSlMH6w+sRS+K7Q2N9kQWe5BVvE1j+pWNkHzofrWCJqhSS/YJP6vSyhXwWJZfq1KVmN6H670pi1NPQIDAQAB"

You could see if that works for you.

@alex

[mike....@gmail.com]

It looks like you were indirectly giving me the correct answer, the 1024 bit key seemed to be the solution.

After finally talking to Google support I ended up trying a 1024 bit DKIM key instead of a 2048 bit key. That worked.

One thing I noticed is that the DNS record for the 1024 bit key was all one string, whereas I had to break up the 2048 bit key into several strings in the same record. My theory is that Google Admin console doesn't recognize that properly, since the other tools I used (links in the question) validated it OK.

[Proneer DJ]