DNS not updating after multiple attempts w/ DKIM auth failure

Hi there, so we have attempted 4x to update the DNS record so that Google can authenticate DKIM. Currently emails from team members using our domain are going to people’s spam boxes which is causing issues and this needs to be addressed before 2024.

I have tried working with Google Support to no avail. I’ve had help from colleagues with experience updating their DNS with Cloudflare and made sure that all of the necessary changes are there.

NOTHING WORKS.

We still get the message “Email authentication was not verified. Please allow 48 hours for DNS to update and make sure you entered the correct TXT record into your domain provider’s DNS settings page” even after waiting days.

At this point, it appears that the DNS is NOT updating. So what do I need to do to get this remedied otherwise I’ll need to move the DNS record back to GoDaddy which I’d rather not do.

What’s the full hostname of that TXT record?

1 Like

Google said to use google._domainkey

That’s fine, as long as it has the domain name attached to it. If you let us know the domain name, we can assist more if you’d like.

Sure the domain name is jenniferfugo dot com (I can’t put it in here otherwise due to the posting rules.)

There is a DKIM record published on google._domainkey.jenniferfugo.com:

google._domainkey.jenniferfugo.com. 300 IN TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi5B6Pp/u2QsU3goa8QB7ZW+npy8O1HcM2iBKlHxUpGFwetrRcJHBe1jrMxd5nuJpUPIjZSeJr9efDxOGJuwZXr+6Hc6jE31uRvg1CRsw53R3bCnj3pcH6EWZRJm+27gXxedrV6foTiKmV/tLVnkgDT167qlFi11ozJnJEISXXarO6+bBHs4QkeJalhvnsaM6A" "NfzqIAqIy9tYxg5YopBiCbb0G39sd3utSre7pF4Semp+scWEglee+dimwRPg/hHTCN1vSzHtRwh2tF77o1y/ih9xXVoRlrRL7CDbKc1c1FDrkq44O2eKb7oFC61hGooieiNOdHlIzdFNoxbihtttwIDAQAB"

Or, as one complete:


v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi5B6Pp/u2QsU3goa8QB7ZW+npy8O1HcM2iBKlHxUpGFwetrRcJHBe1jrMxd5nuJpUPIjZSeJr9efDxOGJuwZXr+6Hc6jE31uRvg1CRsw53R3bCnj3pcH6EWZRJm+27gXxedrV6foTiKmV/tLVnkgDT167qlFi11ozJnJEISXXarO6+bBHs4QkeJalhvnsaM6ANfzqIAqIy9tYxg5YopBiCbb0G39sd3utSre7pF4Semp+scWEglee+dimwRPg/hHTCN1vSzHtRwh2tF77o1y/ih9xXVoRlrRL7CDbKc1c1FDrkq44O2eKb7oFC61hGooieiNOdHlIzdFNoxbihtttwIDAQAB

As there is no DNSSEC enabled from the domain registry on your domain, a broken DNSSEC configuration cannot be the issue in your situation.

So can you please verify that the DKIM contents are the the exact one that Google’s panel provide you with?

1 Like

No… I just did a side by side comparison and what’s in google is slightly different which is weird because I copied it exactly yesterday after generating a new record. Like I said, we’ve done this multiple times.

So I’ve just now updated the DNS record with the new code copied from Google and verified it is identical and saved it. How long does it take to update so that hopefully this will get fixed?

New one that went live is:

google._domainkey.jenniferfugo.com. 300 IN TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0BlnReqoZUMXF8l2PRmiHd9FjDRUuSV1NoHeMlKZl/P8qX63LU7gIIhJtEQ92W4jlTt7EkyTr3KdG13mDK286EPab/8w2+fZKAykmwOyHBfjAgq7EfJMbRlZGauy8r0aWHHrltCtB55AI02JalkQzzsl7Tl79Q/s9qj53SOaSvSvmmFR2AQMk4K7DcUgcoR3B" "FGDAibfoK/0ZukjDEJ1GWr8aDoyua5zhRJgIe5qriO8k1tmEAF6TLpGxSUBffu7KsEvZlh/Clry08jT7gy5zOnScaMgMZcJU0RbAnVLTpuKgxcsfvhVQ4vqN6vn3ahrmnzQ9zURUzdcl1saY+dMdQIDAQAB"

Or, as one complete:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0BlnReqoZUMXF8l2PRmiHd9FjDRUuSV1NoHeMlKZl/P8qX63LU7gIIhJtEQ92W4jlTt7EkyTr3KdG13mDK286EPab/8w2+fZKAykmwOyHBfjAgq7EfJMbRlZGauy8r0aWHHrltCtB55AI02JalkQzzsl7Tl79Q/s9qj53SOaSvSvmmFR2AQMk4K7DcUgcoR3BFGDAibfoK/0ZukjDEJ1GWr8aDoyua5zhRJgIe5qriO8k1tmEAF6TLpGxSUBffu7KsEvZlh/Clry08jT7gy5zOnScaMgMZcJU0RbAnVLTpuKgxcsfvhVQ4vqN6vn3ahrmnzQ9zURUzdcl1saY+dMdQIDAQAB

Cloudflare (and well: many other DNS providers as well) are often quite instantaneous with publishing such changes to the DNS.

I would suspect that Google would be using their own global DNS resolver infrastructure, when they are e.g. scanning the DNS record(s) during the that “Email authentication was not verified. Please allow 48 hours for DNS to update [...]" check you mention.

If that’s the case, I’d say within 12 hours, assuming that the new DNS record(s) are correct, according to what Google expects to see.

Great! So now the status in Google is: Authenticating email with DKIM.

Does that mean it’s fixed? I feel like the answer is yes, but being that this has been a month of failure for getting this fixed, I’d love someone else who knows more about this than me to confirm.

If you’re sending a test message my way, I can tell you what I see:

[email protected]

Just sent!

It passed DKIM successfully, using the public key DKIM key from the above mentioned google._domainkey DNS record. :slight_smile:

Side notes →

Both DKIM and SPF verified successfully in a way that will satisfy a strict alignment (“adkim=s; aspf=s;”) in DMARC, meaning your Google set up is fine for going for the strictest DMARC reject policy, as well moving to the strongest SPF policy, ending with “-all”.

However, your SPF does indicate that you may also be using infusionmail.com/Keap as well, and if that is the case, it would be wise to look in to the set up you may have with them first, before deciding a such DMARC reject policy.

2 Likes

Thanks! I appreciate that. Yes I’m currently using Keap/Infusionsoft. We are moving to Klaviyo in the new year, but need to make sure that we don’t run into any issues with Keap.

I deeply appreciate the help you both have given to help get this resolved! Thank you!!!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.