We're trying to set up DKIM authentication on our Google Apps/G Suite for Business domain to reduce the number of our emails which are ending up in people's spam folders. We have generated the DKIM key and set it up in Google Cloud DNS and have confirmed that it's set up using 3 different DKIM tools:
All of them say it is valid, and yet when we try to Start Authenticating, it says "Email authentication was not verified. …" We waited the suggested 48h (despite the DNS records being visible and correct 24h ago) and it still won't authenticate.
Any idea what else could be going wrong?
The domain is safedoorpm.com if you want to check the DNS yourself.
Edited to add email header 2016/10/21
Here is the header of a mail sent from our domain to gmail. Note that it is still using the default gappssmtp domain for DKIM, not ours:
Delivered-To: XXXX@gmail.com
Received: by 10.79.95.130 with SMTP id t124csp1047440ivb;
Thu, 20 Oct 2016 14:30:12 -0700 (PDT)
X-Received: by 10.37.231.193 with SMTP id e184mr4430151ybh.13.1476999012850;
Thu, 20 Oct 2016 14:30:12 -0700 (PDT)
Return-Path: <XXXX@safedoorpm.com>
Received: from mail-yw0-f176.google.com (mail-yw0-f176.google.com. [209.85.161.176])
by mx.google.com with ESMTPS id v62si10092566ybg.141.2016.10.20.14.30.12
for <XXXX@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 20 Oct 2016 14:30:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of XXXX@safedoorpm.com designates 209.85.161.176 as permitted sender) client-ip=209.85.161.176;
Authentication-Results: mx.google.com;
dkim=pass header.i=@safedoorpm-com.20150623.gappssmtp.com;
spf=pass (google.com: domain of XXXX@safedoorpm.com designates 209.85.161.176 as permitted sender) smtp.mailfrom=XXXX@safedoorpm.com
Received: by mail-yw0-f176.google.com with SMTP id u124so527ywg.3
for <XXXX@gmail.com>; Thu, 20 Oct 2016 14:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=safedoorpm-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:from:date:message-id:subject:to;
bh=rxgZTPk8FeVq2/dWzyjPIHnShPXlQzmPnvfbrUzW/Ss=;
b=CJ6/IB1YNKvIsO0sUW8BvWyZZdjTQqBofzgOIbuW3Auo0sWtQB4cgWtzjzltr1SyZO
b+eKJGSrdvRaaaLj7240nZwrVtrmTTlXcx2Qvm2yIp20ilDZWd4pJAAlvSC8wCxDQhYY
1zwn9UcXxuwD2c05El/DSrdJy+mwVlNv4w3D2v+hPSO0CKS7rKYsjFLEJcQrlAjjANnJ
itn3oz6DxasplOSmSX8tIOXSHFNnYaJM5lbUtm9cLOWvffclmeShcTbhu/BWWdg1pFHn
6dXvj6tX7KvbPr9GzH6LnVd71IHe/R65/2VQdqdT0uvJn5KWkc0ziHRlm3HV8JiWXGZf
oyRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=rxgZTPk8FeVq2/dWzyjPIHnShPXlQzmPnvfbrUzW/Ss=;
b=IcWYvLXbpDB2CCV40fWymGcvbICsjuJipBhW5d1d9WFAM4jVDsZd+2K5ENwvVM4L20
DDbYoqPIoNBwFIaqIB3Sx30xVgFb7d4k7SVSfRZJctrY6QQyO/k6KaxL6++AAxHPbcNw
jls+G5kzs+62OGQzq6w2Z9VNp6CSEyKqqORsAAjEdwa89v8VLLwyRdUoDxZvpiLAFZ8K
riyjP7ebj5iyKJsuviX24kQ6QEJZh6RAAhILudAw8+vtNM3Ml+UUHOlAqbPPgseUB4qx
9hSv+9uQA8w2v7sDiNVVCOoJa20bXZTsLmqlJB6yC4Bt2kzIeSpg5GcALx8EfuaGBiCu
qo+w==
X-Gm-Message-State: AA6/9RmpTg+BzD0kFfXdFBfUIsAcwb0VxlByb8FBWzHYz/gJotrTZ42AzZtIqsANt5a7rf/hu9In1wdErNHioA==
X-Received: by 10.202.53.68 with SMTP id c65mr8679383oia.57.1476999012386; Thu, 20 Oct 2016 14:30:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.207.5 with HTTP; Thu, 20 Oct 2016 14:29:31 -0700 (PDT)
From: Mike Totman <XXXX@safedoorpm.com>
Date: Thu, 20 Oct 2016 15:29:31 -0600
Message-ID: <CAGsv74XyfTOqi7eJ4cCD90Dx8VPvFB1NFLujtCvKgDaCOCT0vQ@mail.gmail.com>
Subject: DKIM test 10
To: Mike Totman <XXXX@gmail.com>
Content-Type: multipart/alternative; boundary=001a113d4f2877afad053f52a17e
Edited to add output from DKIMValidator.com 2016/10/21
I also tried sending an email to the DKIMValidator.com tool, and this is the result. Note that it is still using the default gappssmtp domain for DKIM, not ours:
DKIM Information:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=safedoorpm-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:from:date:message-id:subject:to;
bh=5wQSTkgMlB+S2PAmekAxIh7O+zBt2H5aC2Ft8cNRJWQ=;
b=ItJ0UFj97i19qHEFF9ACB5sQY50iZv9ZJ2J9l4JIgSKkSbd/QOi0OGsRWtMe9p5yU4
vp6z1mgah8DBa+fgCEtTqrOyd+LjaXm0f6FJXyJiV+E7FcdpJ1bSEHyzRlulR0TLqJ/E
LK0JDXSFNCSUTrWVsrGxIKo7HscI+jY5CR/nTf9cRvTj9Z22lFeukAvVpuhSz88XQeBX
2TXk2I+p21+L0xAbv0x4OCDgWM5W4WRJUqGi0+gu/IhQBomi/e7wEYZ2f+lvNKRpRggU
QD2dv15fCibJ3jufVBglpCx9En94UlPuiZqaCi0qqriLnhV/76iBMajI+WyelCG2SimU
Ht6g==
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: safedoorpm-com.20150623.gappssmtp.com
s= Selector: 20150623
q= Protocol:
bh= 5wQSTkgMlB+S2PAmekAxIh7O+zBt2H5aC2Ft8cNRJWQ=
h= Signed Headers: mime-version:from:date:message-id:subject:to
b= Data: ItJ0UFj97i19qHEFF9ACB5sQY50iZv9ZJ2J9l4JIgSKkSbd/QOi0OGsRWtMe9p5yU4
vp6z1mgah8DBa+fgCEtTqrOyd+LjaXm0f6FJXyJiV+E7FcdpJ1bSEHyzRlulR0TLqJ/E
LK0JDXSFNCSUTrWVsrGxIKo7HscI+jY5CR/nTf9cRvTj9Z22lFeukAvVpuhSz88XQeBX
2TXk2I+p21+L0xAbv0x4OCDgWM5W4WRJUqGi0+gu/IhQBomi/e7wEYZ2f+lvNKRpRggU
QD2dv15fCibJ3jufVBglpCx9En94UlPuiZqaCi0qqriLnhV/76iBMajI+WyelCG2SimU
Ht6g==
Public Key DNS Lookup
Building DNS Query for 20150623._domainkey.safedoorpm-com.20150623.gappssmtp.com
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2UMfREvlgajdSp3jv1tJ9nLpi/mRYnGyKC3inEQ9a7zqUjLq/yXukgpXs9AEHlvBvioxlgAVCPQQsuc1xp9+KXQGgJ8jTsn5OtKm8u+YBCt6OfvpeCpvt0l9JXMMHBNYV4c0XiPE5RHX2ltI0Av20CfEy+vMecpFtVDg4rMngjLws/ro6qT63S20A4zyVs/V19WW5F2Lulgv+l+EJzz9XummIJHOlU5n5ChcWU3Rw5RVGTtNjTZnFUaNXly3fW0ahKcG5Qc3e0Rhztp57JJQTl3OmHiMR5cHsCnrl1VnBi3kaOoQBYsSuBm+KRhMIw/X9wkLY67VLdkrwlX3xxsp6wIDAQAB
Validating Signature
result = pass
Details:
Best Answer
After finally talking to Google support I ended up trying a 1024 bit DKIM key instead of a 2048 bit key. That worked.
One thing I noticed is that the DNS record for the 1024 bit key was all one string, whereas I had to break up the 2048 bit key into several strings in the same record. My theory is that Google Admin console doesn't recognize that properly, since the other tools I used (links in the question) validated it OK.