I've read a few different threads on here and have tried them out, but they don't seem to be working for me, so I'm hoping one of you awesome people can help me out. Forgive me, but this will be a little long.
I'm working with a non-profit who has our site DNS set up on domain.com, and our email is going through Google Workspace. Our regular email addresses all end in @ourdomain.org, and we have a subdomain @mail.ourdomain.org set up for our marketing emails through sites like Constant Contact.
I'm using Dmarcian.com to analyze our DMARC reports, and I'm confused as to why a couple of things are happening.
For the @ourdomain.org reports, everything is passing fine. But I'm noticing there is a second DKIM record that is showing up when it checks the DKIM records. The selector is XXXXXXXX (8 numbers), and the domain is mail-ourdomain-org.XXXXXXXX.gappssmtp.com. I know this is an auto-generated DKIM key from Google, but I'm trying to figure out how, or if it's even possible to, add this key into our DNS records. Since ourdomain.org is not listed anywhere I have no clue what I would need to list as the selector in our DNS records for it to be valid. Everything seems to be passing since Dmarcian is showing both keys, it's passing DKIM thanks to the key we put in ourselves, even though the second key isn't showing up.
For our mail.ourdomain.org address though, we are running into a bigger problem. Domain.com doesn't allow us to edit DNS records for subdomains directly, we can only edit the DNS records on the main domain. So here's what we have done.
Two SPF records: One with the name of @, and one named mail. This allows both the main domain, and the mail subdomain to have a SPF record, and both work perfectly.
One DMARC record, with the name _dmarc and no SP tag in it, so the quarantine setting propagates down from the main domain to all subdomains, and that is working fine.
Our main domain keys all seem to be working fine. For our subdomain DKIM keys, everything seems to say use the name "XXX._domainkey.mail", with XXX being whatever the selector is supposed to be. That way it applies to the subdomain mail, and not the main domain. We've done that, it's been in place for two or three days, but nothing seems to be using it. Instead it's using only the same autogenerated google DKIM key that I mentioned before, at least according the the Dmarcian reports
I know this is a lot, but I wanted everyone to know what I've tried doing before I ask all my questions.
1: Is there a way to get that autogenerated google DKIM key into our DNS records? If so, what would I list as the selector, and what should I name it in our DNS settings.
2: Is there another name I should be putting in on domain.com to get it to apply to the subdomain, or do I just need to wait longer to get it to show up in the dmarcian.com reports? I'm thinking it's just wait longer, because I tried looking it up on mxtoolbox, and it finds the record fine. I just want people who are smarter and doing this then I am to chime in.
EDIT: Headers added per Paul's request
Delivered-To: [email protected]
Received: by 2002:a1f:2b88:0:0:0:0:0 with SMTP id r130csp4040166vkr;
Sun, 18 Jul 2021 18:16:37 -0700 (PDT)
X-Received: by 2002:a7b:c762:: with SMTP id x2mr21216464wmk.21.1626657397670;
Sun, 18 Jul 2021 18:16:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626657397; cv=none;
d=google.com; s=arc-20160816;
b=sE9smyJn9mlhmvSnyZ8bnUFCimZtimBJjX+xkuBqjaC2+vAIoUBfazzG4sIadez7Al
Nno8/kYK2fbhMk9QcMUwfV40fzMzbc9lmogX0QPE4nevzi9nf1wDLL0s6gL/a45OHAc3
xTvuxllcO5fgHa3wRR5aIIOrPzGhOO/45iDadwPG0861UeM0oHQOW5QA3td3eEt5cWfG
+sOy2dJF4u86H5uiVMoTj3pnJoTR09qWJ/j7H6tmHhoH2lbPaXmfXr81dH/zs0+g8bLi
3yCVM4fg97ZpC2V3qerAmv1AkjY5MwmDuNCUraRH7AI+hwofhOiMvrE9CAH1xaajNQmQ
wiXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:subject:message-id:date:from:mime-version:dkim-signature;
bh=Wr7w3dtotvYQO/Q/74BBr61l0LbM/Z70VXQtzUDIE8k=;
b=hahPTn2HQR8xqwz169O19ZqWTatdFNeQYKbnDZqe4ksWKe43oi7nskdG6OnKkVtlzQ
YIc8QL8uj/vsDLMwFZGD9qYglKcjmzcfuA6gChsnL7LqkO7t0K6p2LSNDLmqY9OgVQ4B
5GAvorSkywt5KpSRvG+VpkI20M5ZqgmPT+n2B96aX36bdtLd749iWQrCDuRWgb69BAmt
nIdhB4BAw0fDvLW0B5HwUr1JV+coXI2U89movkJ+ichKmok4khUhp7ev6z9aqt+4OVxm
vpX1E7X4ESUO0/PTABo9sNunt2O9eg2ruUsKB3xzwSabhMuaJ82bbWqDjack0y5f8MWD
twOA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=mail header.b=GJDcn+LO;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ourdomain.org
Return-Path: <[email protected]>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id k13sor7841198wrc.37.2021.07.18.18.16.37
for <[email protected]>
(Google Transport Security);
Sun, 18 Jul 2021 18:16:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=mail header.b=GJDcn+LO;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ourdomain.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mail.ourdomain.org; s=mail;
h=mime-version:from:date:message-id:subject:to;
bh=Wr7w3dtotvYQO/Q/74BBr61l0LbM/Z70VXQtzUDIE8k=;
b=GJDcn+LOYU6rF4Bk6RJ3u/4s5a7WEak0lqLJdRh5ANSObxn5MjBu8usjlJUttUQbTr
l+XYv3/9hSCoCyIHlbSK1kx7QMwMIxg+dWruSggGHl4dTyl+hlD9PCrkM1dbsxfLt4PB
MJOkGytdvbrSdVsL7zGPDRPYaD9t00KjxciZtqHbcxQ/bRSAc3kNAqTBnEHbSasNl7xU
yeB/2oSRUcJOUe5V4hB8WECimZw9PhjWXgmyiR/2hzk84Yj0isV242ErCQfOxqvAKlJe
yYjZOCZm1c5pyBlZMZG0ePCk+6EYvNqrNGG3KoeT5Ow2E5kn4i5/rTZ7YtXBLyLmL2Bv
Xpnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=Wr7w3dtotvYQO/Q/74BBr61l0LbM/Z70VXQtzUDIE8k=;
b=AiykOf6fowHFVS4eADfQbNAFkaF5KHVVwDC20BEFcJDewWahqlhpNShS9o1hROC3EY
5Rq6in+UTVYLKGR5qzIGCfMzfK5ufaHLv80tGh0iShrlnklNlsXs8g1pxSPc370cbLyw
kkOEbHFGwfvujIqlx8+EhTD0FlH2PqbYD2u7iZ0QJiHQbHIwsuxXubG+bJcXjSloRocO
mL/WZaq4eu0TZTXWFS17U18sfcH0lMow6jwXEguzj7uahQgpcCSfI26N/1oLojRe/jWs
NBVzKQyfxS6jt5z5HKfIXuOZq3WYats/UxnTwpr/vc3SfAoCNnQFeYYNeZAsM2QfE1ex
LppQ==
X-Gm-Message-State: AOAM531McamrYiuTJbBHfcs2KJZ5BnBiyGNLLanxz4xbwLqV2mItZnVA 32CNG87MEuObv2JKNlGqTm228wUF2glphb15pWG2Hx+OfhFYjA==
X-Google-Smtp-Source: ABdhPJz2gfrGpRxzwOnvBgQL4bWCZK6Ai1EYRdKP5DfILdn9FpSXaRkTochg1PDCjhAJycXGSx8QqQcYEBaGAqNVY3w=
X-Received: by 2002:adf:90e2:: with SMTP id i89mr27585849wri.338.1626657396714; Sun, 18 Jul 2021 18:16:36 -0700 (PDT)
MIME-Version: 1.0
From: Test Account <[email protected]>
Date: Sun, 18 Jul 2021 18:16:25 -0700
Message-ID: <CA+XJ9wVJCfhWGgVe2CYXeTwTvxWqBCowFiDZuOZaKQazKf_CXg@mail.gmail.com>
Subject: DKIM Email Test
To: [email protected]
Content-Type: multipart/alternative; boundary="0000000000004d80d805c76fb0f2"
--0000000000004d80d805c76fb0f2
Content-Type: text/plain; charset="UTF-8"
DKIM Email Test
--0000000000004d80d805c76fb0f2
Content-Type: text/html; charset="UTF-8"
<div dir="ltr">DKIM Email Test</div>
--0000000000004d80d805c76fb0f2--