DKIM fail with gmail

karagian · July 15, 2025, 12:05pm

dear RT community

we are using RT-v5.0.4, normally without issues, with
the mails it creates being send via a mailserver
(postfix) that DOES NOT employ DKIM (only SPF)

the RT mails going to ticket creators with gmail
accounts, we get such errors in the maillog:

to=<[ticket-creator]@]gmail.com>… dsn=5.7.26, status=bounced …
550-5.7.26 Your email has been blocked because the sender is
unauthenticated. … Gmail requires all senders to authenticate
with either SPF or DKIM… Authentication results: 550-5.7.26
DKIM = did not pass 550-5.7.26 SPF [host-name] with ip: [host-ip]

as I’ve said, the mail server DOES NOT use DKIM, only
SPF (which works; RT mails end up happily in all other
servers (including public yahoo mail); maillist mails
also get delivered at gmail)

so, my guess is that some RT mail header is triggering
google’s 2nd-level DKIM authentication (which obviously
fails)

has it happened to anyone else? any idea what is
going on?

GreenJimll · July 15, 2025, 3:36pm

Do you have DMARC record set up for your domain? Set up DMARC - Google Workspace Admin Help

karagian · July 15, 2025, 5:50pm

no, there is no DMARC record in the DNS zone. It
shouldn’t be a problem (as SPF is set), and I
don’t think google would anyway honour its
instruction. And still, this does not explain
why gmail servers try DKIM signature verification

GreenJimll · July 16, 2025, 7:20am

I think Gmail tries DKIM and SPF no matter what, but if you’re not a bulk sender (more than 5000 emails per day appearing to come from your domain) you only need one of them to pass.

Is there any more to the log line you posted? I’d have been expecting an “=” and the SPF status at the end (“pass”, “did not pass”, etc).

Looking at the conditions for <5000 emails for Gmail to reject an email, there’s some things for you to investigate:

Your email spam rate is more than 0.3% at Gmail’s end. That might not be from your RT but other systems in your domain (aka whatever marketing people have been let lose with!),
Something in what RT is sending is being interpreted as impersonating a Gmail header,
If you are not using a TLS connection for transmitting emails,
Your mail server doesn’t have ARC enabled if it is forwarding messages (or Gmail is interpreting what RT is sending as forwarded emails),
Your forward and reverse DNS records are invalid.