DMARC, DKIM, Gmail, and Domain Aliases in send-as email address

Setup G Suite DKIM to prevent DMARC Failure in Gmail when using send-as email addresses with Secondary Domains/Domain Aliases

Regarding DKIM’s impact on DMARC pass/fail when using G Suite secondary domains/domain aliases in Gmail send-as email address aliases.

Assuming present and correct SPF and DMARC config. DMARC tests will fail sending from Gmail. When –

  1. DKIM is not enabled in G Suite: Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) for the secondary domains/domain aliases
  2. Google will automatically sign outgoing email messages if DKIM not setup, and that is the issue! The email header DKIM value (d=”domain name”) is not aligned (i.e. the same!) as the email Header “From” value.

Don’t rely on online DMARC validators! Check sent email headers:

Open the email headers of sent emails. Look for

  • The Envelope From (i.e., Return Path or Mail-From)
  • The “Friendly” From (i.e., “Header” From)
  • The d=domain in the DKIM-Signature’

Regarding DMARC and DKIM alignment: Check in the email header d=”domain name” is identical to the Header From “domain name”. DMARC also checks SPF alignment, but I’m focussed on DKIM d=”domain name”and G Suite secondary domain/domain aliases for now.

How to enable DKIM for all secondary domains/domain aliases in G Suite

In Google Admin Dashboard – make sure you head to Apps -> G Suite -> Settings for Gmail -> Authenticate Email (DKIM) and –

  1. Generate 2048 bit DKIM record values for every domain you’ve setup in your Gmail account to send-as from
  2. Create the DKIM DNS record with that domainkey and TXT record value in the relevant secondary domains/domain aliases DNS zone
  3. Click “Start Authentication” after the new DKIM DNS record has had a chance to be refreshed and propogated
  4. If you see green text “Authenticating email” with a green tick. DKIM is enabled.