Why is the email failing Gmail’s DKIM test

dkimdmarcgmailspf

I have a message that was rejected by Gmail, I don't know why. It passes SPF. We aren't using DKIM. Do I need to set up DKIM?

I am in control of "example.com". Our mail server is "server.example.com" (hosted at bluehost)

Our SPF record is

v=spf1 +a +mx ?include:bluehost.com -all

However Gmail rejected a message with:

550-5.7.1 Unauthenticated email from example.com is not accepted due to
550-5.7.1 domain's DMARC policy. Please contact administrator of example.com

The message headers:

Return-path: <sabrina@example.com>
Received: from [99.127.228.246] (port=61813 helo=[192.168.1.66])
    by server.example.com with esmtpsa (TLSv1:AES128-SHA:128)
    (Exim 4.80.1)
    (envelope-from <sabrina@example.com>)
    id 1VMLM8-0007ok-5c; Wed, 18 Sep 2013 17:16:03 +0000
From: Sabrina <sabrina@example.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2FE0763D-B160-49C4-8202-B8258851AFAD"
Subject: positive self thoughts/talk 
Date: Wed, 18 Sep 2013 10:15:24 -0700
Message-Id: <D85DC2BA-0E8A-4AF6-9C54-203C52E996F2@example.com>
To: Tanja Schulte-Irwin <tanjaschulte@gmail.com>,
Zachary Bloom <zbloom@sffriendsschool.org>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)

Best Answer

Your SPF record isn't affecting this.

By the looks of it, you have a DMARC record set up, and you are not signing outgoing mail with DKIM. To remedy the problem, either sign the outgoing mail, or remove the DMARC policy.

The DMARC record is a TXT record like the SPF record, but it is at _dmarc.example.net where example.net is your domain. If you don't think you have one or you don't want to remove it, change it to v=DMARC1; p=none to null it out.

Alternatively, since you are using SPF, I see you may not want to do this. In this case, leave your _dmarc record as it is, but you will have to get rid of or change your _domainkeys record.

DKIM specifies that for a domain example.net, the DKIM record will be queried IN TXT _domainkeys.example.net. You must find this record and either remove it, or add the t=y flag to specify that (as you are ostensibly testing DKIM) the results of DKIM verification should be ignored. Also, ensure your _dmarc record does not contain the adkim tag, and particularly not adkim=s.

Related Topic