Email Routing DKIM Fail Blocks on what Gmail says Passes

On Eurostar dot com’s “Forgot Password” the emails it sends get 100% rejected by Cloudflare’s email routing (shows up in dashboard as SPF pass/DKIM fail) but if I switch back to GSuite/Gmail then Gmail accepts the email just fine (Google headers show “Authentication-Results-Original: mx google com; dkim=pass”) and the email comes through in the main inbox (not even Junk). I can share the raw email with headers if someone from Cloudflare wants to take a look (or if you create a Eurostar account and click “forgot password” you can repro easily).

While it’s likely that has something odd about their setup, it’s unclear if their setup is wrong or whether Cloudflare’s validation is wrong. Either way since Gmail allows it through while Cloudflare has no way to recover the email it’s a serious issue (I had to change back to Gmail due to this issue to recover my Eurostar account), ideally there should be at least some way to access rejected emails through the dashboard or have a setting to allow the DKIM failed emails.

Another user hit something similar here: Email Routing - DKIM Fail - Error Result and Undelivered - Feedback / Previews & Betas - Cloudflare Community

And Gmail does explicitly show DKIM as a “Pass” (along with everything else) on the “Show original” page. Plus the appmaildev dot com tool given the original raw email source likewise shows the DKIM signature passing and the hash matching:

So it seems clear that Cloudflare is wrong to fail this DKIM check

Also here’s the screenshot of Cloudflare’s DKIM fail: