I’m running into a confusing email authentication problem and could really use some help figuring this out.
Here’s my current setup:
- Domain DNS is managed through Cloudflare
- Email hosting via Office 365
- SPF, DKIM, and DMARC are all properly configured
The weird part is that everything looks good on my end. When I test DKIM in the Office 365 admin panel, it passes all checks and I can enable it without issues. The DMARC aggregate reports from Office 365 also show everything is working correctly.
But here’s where it gets strange - I keep getting occasional failure notifications from Google’s DMARC reporting system. These don’t come regularly, just randomly every now and then. The reports specifically mention DKIM authentication failures for emails from my domain.
What’s really puzzling is the inconsistency. If my DKIM setup was broken, wouldn’t it fail consistently? Why would some emails pass while others fail, especially when my own monitoring shows everything working?
Has anyone experienced similar intermittent DKIM failures with Google while other providers work fine? I’m wondering if there might be some edge case or configuration detail I’m missing.
Any insights would be greatly appreciated. Thanks for taking the time to help out.
It seems you may be experiencing issues related to DNS propagation. Google sometimes uses cached records that can lead to inconsistent DKIM authentication results, even if everything appears correct from your side. I recommend verifying your DKIM settings and consider setting up an additional selector for redundancy. Additionally, adjusting the TTL values of your DKIM records in Cloudflare could potentially enhance the speed of updates as DNS records propagate.
Same thing happened to me last year - intermittent DKIM failures from Google while everything else worked fine. Turned out it was Office 365’s automatic DKIM key rotation. Microsoft rotates these keys periodically, and there’s usually a short window where they’re still signing with the old key but DNS already shows the new one. Creates temporary auth failures until the rotation finishes. Check if your Office 365 DKIM rotation timing matches when you’re getting these failure reports. I’d also watch the DKIM selector values in your DNS during these periods to see if that’s what’s happening.
gmail’s servers can be really picky about dkims. i faced this too with office365 when they made sigs that gmail wouldn’t accept - mostly for longer msgs or odd chars. try sending some test emails with varied lengths to see if you notice any pattern in the failures.
This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.