Cloudflare adds header saying that DKIM check failed, while GMail says DKIM check succeeded

I noticed on multiple incoming emails that Cloudflare adds a header saying that the DKIM check failed:

Authentication-Results: mx.cloudflare.net; spf=pass; dkim=fail (signature did not verify); dmarc=pass;

However, GMail to which those mails are forwarded claims that the DKIM check succeeded. Those are emails from senders that should have DKIM setup properly such as marcus.com and discoursemail.com.

Not an issue for me, but if anyone from Cloudflare is interested and not able to reproduce this issue I can provide an example email.

That sounds like this one:

Wouldn’t this be exactly the opposite case? In my scenario Cloudflare directly receives the mail from the sender (without any forwarding in between) and reports that the DKIM check failed, but at GMail (to which the email is forwarded by Cloudflare) the DKIM check succeeds.

In the thread that you linked it seems that the DMARC fails after the forwarding, indicating that the forwarding might have broken either DKIM or SPF.

The difference I see is dkim fail vs neutral. Certainly very different statuses. What I’m wondering is why did dmarc fail in that other thread. And why are there inconsistent results from Gmail? You’re right, though, they’re backwards. They fail in opposite directions. :man_shrugging: