- In Google Workspace - Apps - Gmail - Authenticate email get the DKIM text value. You will probably have to generate a new record.
- In Dreamhost control panel manage websites click on DNS settings for domain and enter google._domainkey as host and the TXT record value. (DH UI makes this look like it appends a suffix to this but it really doesn't.)
- Once DH says the record has propagated return to the Admin console and click "start authentication"
Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.)
In the message header, look for Authentication-Results. Receiving services use different formats for incoming message headers, however the DKIM results should say something like DKIM=pass or DKIM=OK.If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM.
When I looked at view original sent form Emily's account to my personal gmail account I didn't see DKIM=pass or DKIM=OK but I did see two entries starting with:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
More importantly when I scrolled up a bit (this is in Gmail View Original) I saw a header that's interpreting the email headers (I think this might be a newer feature):
Message ID ....
Created at: Mon, Mar 13, 2023 at 2:59 PM (Delivered after 12 seconds)
From: Emily ....
To: John ...
Subject: test DKIM content
SPF: NEUTRAL with IP ...
DKIM: 'PASS' with domain ...
You can also paste the "original message" headers into toolbox.googleapps.com/apps/messageheader/. That gave similar results.
When I tested on a second family domain that did NOT have DNS TXT entry for DKIM it showed as DKIM 'PASS" in the email header interpretation with an odd domain string -- BUT in Google Apps it showed as NOT authenticating. I cannot explain this.
Once I updated the DNS TXT DKIM entry for that domain and allowed a few minutes for propagation it did show in the Google Apps admin console as authenticating with DKIM and the headers showed the correct domain name.
DH's note on SPF records says they cannot be updated if we are using Google Workspace. This is new since 2018 and I think that's correct.
- Google - turn on DKIM for domains
- Google - troubleshoot DKIM issues
- Dreamhost DKIM records
- Check DKIM and SPF records
- Check DKIM records
- DKIM for Google Apps 2011 (easier then because we used a DNS service tied to Google. There's an analogous fix for Google Apps 2023 if you use their DNS. Yeah, I know they don't call it Google Apps any more.)
- Dreamhost SPF 2018 (looks like they were screwing up DKIM settings back then as well)
- How to get Google to DKIM authenticate your domain (2022)
- Dreamhost SPF records: "If you're using Google Workspace, you cannot update the SPF record. The field remains uneditable."