Google rejecting Salesforce DKIM signed messages

Another day in troubleshooting email connectivity issues for our end users. This one was a bit harder then usual.

Our Salesforce QA team could not sent test email messages to their gmail.com email adresses but messages sent to all our email tenants did work as expected.

The Google error message received in Salesforce was :

550-5.7.26 Unauthenticated email from xxxxxxxx is not accepted due to domain's\r\n550-5.7.26 DMARC policy. Please contact the administrator of xxxxxx domain\r\n550-5.7.26 if this was a legitimate mail. Please visit\r\n550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the\r\n550 5.7.26 DMARC initiative. q14si1465189qti.399 - gsmtp

In such cases we try to validate for email authentication settings , specially SPF, DKIM and DMARC policies and proper alignment to be applied.

For Salesforce we have a policy which requires proper DKIM signing usng 2048 Bit keys with a yearly key rollover. As part of the Salesforce Lightening Release DKIM keys are now hosted by Salesforce and you just need to provide key strength, two selector names, the email domain and the enforcement attribute to select.

The resulting CNAME's and attributes need to be published to DNS , so they can be activated shortly after. The whole process only takes 3-5 Minutes.

Once Salesforce can validate the 2 published DNS records the DKIM signing can be activated and will be applied to all outgoing Salesforce emails using this instance. Since most companys use development, UAT and production in Salesforce you will need to repeat this process multiple times.

Testing the email function against our domains worked fine, testing against gmail.com still failed with the same error message.

Debugging the ESA mail logs for that sender showed a DKIM error message while validating the inbound DKM signature :

(67567754, 'error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding')

Debugging above DKIM keys with OpenSSL pretty much lead me to conclude that the DKIM key is correct but the applied signature (padding) must be wrong.

We retried the same operation for 2 times with the same results to rule out DKIM copy problems. Finally reducing the DKIM key lenght in Salesforce from 2048 to 1024 and publishing those keys seemed to have solved this issue for now. It appears that there might be an issue with Salesforce DKIM management for 2048 Bit keys for now.

It appears to have been a temporary problem with Salesforce which is resolved now. (10/08/2020).

We have swithced back to 2048 Bt keys again and they pass DKIM validation.

Another problem solved.