Setup G Suite DKIM to prevent DMARC Failure in Gmail when using send-as email addresses with Secondary Domains/Domain Aliases
Regarding DKIM’s impact on DMARC pass/fail when using G Suite secondary domains/domain aliases in Gmail send-as email address aliases.
Assuming present and correct SPF and DMARC config. DMARC tests will fail sending from Gmail. When –
- DKIM is not enabled in G Suite: Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) for the secondary domains/domain aliases
- Google will automatically sign outgoing email messages if DKIM not setup, and that is the issue! The email header DKIM value (d=”domain name”) is not aligned (i.e. the same!) as the email Header “From” value.
Don’t rely on online DMARC validators! Check sent email headers:
Open the email headers of sent emails. Look for
- The Envelope From (i.e., Return Path or Mail-From)
- The “Friendly” From (i.e., “Header” From)
- The d=domain in the DKIM-Signature’
Regarding DMARC and DKIM alignment: Check in the email header d=”domain name” is identical to the Header From “domain name”. DMARC also checks SPF alignment, but I’m focussed on DKIM d=”domain name”and G Suite secondary domain/domain aliases for now.
How to enable DKIM for all secondary domains/domain aliases in G Suite
In Google Admin Dashboard – make sure you head to Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) and –
- Generate 2048 bit DKIM record values for every domain you’ve setup in your Gmail account to send-as from
- Create the DKIM DNS record with that domainkey and TXT record value in the relevant secondary domains/domain aliases DNS zone
- Click “Start Authentication” after the new DKIM DNS record has had a chance to be refreshed and propogated
- If you see green text “Authenticating email” with a green tick. DKIM is enabled.