Issues getting DKIM working with Google Workspace

I have a domain I have been using with Google Workspace for years, unfortunately the DNS was hosted by GoDaddy through some portal and I wasn’t able to make any changes so I updated nameservers and set it up on CloudFlare.

Running a report on Redsift it tells me that my DKIM Signing Domain and From Domain are not aligned. If I view the headers I can’t find the DKIM signature that google added to my DNS. I tried switching the nameservers to Cloudflare and using that, but then the from in the email reads like: via and even though my DNS MX records on CloudFlare are still pointing to Google for email, it seems to be sending through CloudFlare and I can see what looks like a DKIM for CloudFlare.

I’m trying to decide best practice. I would think if I’m using Google Workspace that I’m best continuing to use that for my email sending and not CloudFlare - I just wanted CF for my DNS.

When I’m using Google Workspace to send I see a couple DKIM records, that are not the same as the one in my admin panel config options. I guess I could just add those… seems strange though - they should match.

There is a DKIM-Signature and a X-Google-DKIM-Signature in the header. When i’m using cloudflare for DNS (still with google for MX records), I get the same DKIM signatures plus one from cloudflare but none of them match the Google Workspace admin panel DKIM.

I feel like I get how it’s supposed to work, but I dont seem to have the right config values from Google. This is a business with quite a bit of email volume and I’m hesitant to switch email to CloudFlare but I do need to get this working and make sure I’m Gmail/Yahoo sending compliant.

I’m not sure what you mean by:

Cloudflare has no email sending service. They have a forwarding service known as Cloudflare Email Routing, but you definitely should not be using that.

Can you send an email to and share the results URL here so we can offer better feedback based off more relevant data?

1 Like

You’re quite right - I use the forwarding service on other domains but with this one on Google Workspace, I want google to keep handling the sending without any forwarding. I meant if I switch the DNS to CloudFlare then it seems the email passes via cloudflare instead of directly from google.

I used mail-tester as you suggested and got a 5.2/10 but only sent a blank email (wasn’t familiar with this testing site and I’m not yet concerned about the content issues, first trying to resolve SPF, DKIM and DMARC issues).
The famous spam filter SpamAssassin. Score: -4.3.
A score below -5 is considered spam.

It says DKIM signed and valid and SPF pass, but other testing sites like redsift suggest I’m not Google/Yahoo Deliverability Compliant because ‘DKIM Signing Domain and From Domain are not aligned.The policy is Relaxed’. I’m really looking to get the DKIM signing domain and from domain aligned and then i’ll move on to making sure I have one-click unsubscribe and properly formatted messages.

If your email touches Cloudflare you have something dreadfully misconfigured.

There is no requirement for strict alignment, so you can ignore whatever is giving you that suggestion.

If you are planning on sending bulk email to Yahoo or Gmail (or anywhere else), you would do well to use a proper bulk email service provider and not send directly from Google Workspace. They will have many benefits including, but not limited to, member management and one-click unsubscribe.

I’m still a little confused why the messages were tagged as ‘via’ when the MX records were still pointing to Google. I’ll be continuing to send transactional emails through PostMark; mainly order notifications and invoices to a tightly managed list of clients. Most of these go to enterprise email servers (mostly Exchange servers) but there are exceptions and indeed I will need to write up my own one-click unsubscribe.

Thanks for your follow-up.