DKIM on subdomain hosted by domain.com, and auto-generated DKIM key

I've read a few different threads on here and have tried them out, but they don't seem to be working for me, so I'm hoping one of you awesome people can help me out. Forgive me, but this will be a little long.

I'm working with a non-profit who has our site DNS set up on domain.com, and our email is going through Google Workspace. Our regular email addresses all end in @ourdomain.org, and we have a subdomain @mail.ourdomain.org set up for our marketing emails through sites like Constant Contact.

I'm using Dmarcian.com to analyze our DMARC reports, and I'm confused as to why a couple of things are happening.

For the @ourdomain.org reports, everything is passing fine. But I'm noticing there is a second DKIM record that is showing up when it checks the DKIM records. The selector is XXXXXXXX (8 numbers), and the domain is mail-ourdomain-org.XXXXXXXX.gappssmtp.com. I know this is an auto-generated DKIM key from Google, but I'm trying to figure out how, or if it's even possible to, add this key into our DNS records. Since ourdomain.org is not listed anywhere I have no clue what I would need to list as the selector in our DNS records for it to be valid. Everything seems to be passing since Dmarcian is showing both keys, it's passing DKIM thanks to the key we put in ourselves, even though the second key isn't showing up.

For our mail.ourdomain.org address though, we are running into a bigger problem. Domain.com doesn't allow us to edit DNS records for subdomains directly, we can only edit the DNS records on the main domain. So here's what we have done.

Two SPF records: One with the name of @, and one named mail. This allows both the main domain, and the mail subdomain to have a SPF record, and both work perfectly.

One DMARC record, with the name _dmarc and no SP tag in it, so the quarantine setting propagates down from the main domain to all subdomains, and that is working fine.

Our main domain keys all seem to be working fine. For our subdomain DKIM keys, everything seems to say use the name "XXX._domainkey.mail", with XXX being whatever the selector is supposed to be. That way it applies to the subdomain mail, and not the main domain. We've done that, it's been in place for two or three days, but nothing seems to be using it. Instead it's using only the same autogenerated google DKIM key that I mentioned before, at least according the the Dmarcian reports

I know this is a lot, but I wanted everyone to know what I've tried doing before I ask all my questions.

1: Is there a way to get that autogenerated google DKIM key into our DNS records? If so, what would I list as the selector, and what should I name it in our DNS settings.

2: Is there another name I should be putting in on domain.com to get it to apply to the subdomain, or do I just need to wait longer to get it to show up in the dmarcian.com reports? I'm thinking it's just wait longer, because I tried looking it up on mxtoolbox, and it finds the record fine. I just want people who are smarter and doing this then I am to chime in.

EDIT: Headers added per Paul's request

Delivered-To: [email protected]
Received: by 2002:a1f:2b88:0:0:0:0:0 with SMTP id r130csp4040166vkr;
        Sun, 18 Jul 2021 18:16:37 -0700 (PDT)
X-Received: by 2002:a7b:c762:: with SMTP id x2mr21216464wmk.21.1626657397670;
        Sun, 18 Jul 2021 18:16:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626657397; cv=none;
        d=google.com; s=arc-20160816;
        b=sE9smyJn9mlhmvSnyZ8bnUFCimZtimBJjX+xkuBqjaC2+vAIoUBfazzG4sIadez7Al
         Nno8/kYK2fbhMk9QcMUwfV40fzMzbc9lmogX0QPE4nevzi9nf1wDLL0s6gL/a45OHAc3
         xTvuxllcO5fgHa3wRR5aIIOrPzGhOO/45iDadwPG0861UeM0oHQOW5QA3td3eEt5cWfG
         +sOy2dJF4u86H5uiVMoTj3pnJoTR09qWJ/j7H6tmHhoH2lbPaXmfXr81dH/zs0+g8bLi
         3yCVM4fg97ZpC2V3qerAmv1AkjY5MwmDuNCUraRH7AI+hwofhOiMvrE9CAH1xaajNQmQ
         wiXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=Wr7w3dtotvYQO/Q/74BBr61l0LbM/Z70VXQtzUDIE8k=;
        b=hahPTn2HQR8xqwz169O19ZqWTatdFNeQYKbnDZqe4ksWKe43oi7nskdG6OnKkVtlzQ
         YIc8QL8uj/vsDLMwFZGD9qYglKcjmzcfuA6gChsnL7LqkO7t0K6p2LSNDLmqY9OgVQ4B
         5GAvorSkywt5KpSRvG+VpkI20M5ZqgmPT+n2B96aX36bdtLd749iWQrCDuRWgb69BAmt
         nIdhB4BAw0fDvLW0B5HwUr1JV+coXI2U89movkJ+ichKmok4khUhp7ev6z9aqt+4OVxm
         vpX1E7X4ESUO0/PTABo9sNunt2O9eg2ruUsKB3xzwSabhMuaJ82bbWqDjack0y5f8MWD
         twOA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=mail header.b=GJDcn+LO;
       spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ourdomain.org
Return-Path: <[email protected]>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
        by mx.google.com with SMTPS id k13sor7841198wrc.37.2021.07.18.18.16.37
        for <[email protected]>
        (Google Transport Security);
        Sun, 18 Jul 2021 18:16:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=mail header.b=GJDcn+LO;
       spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ourdomain.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mail.ourdomain.org; s=mail;
        h=mime-version:from:date:message-id:subject:to;
        bh=Wr7w3dtotvYQO/Q/74BBr61l0LbM/Z70VXQtzUDIE8k=;
        b=GJDcn+LOYU6rF4Bk6RJ3u/4s5a7WEak0lqLJdRh5ANSObxn5MjBu8usjlJUttUQbTr
         l+XYv3/9hSCoCyIHlbSK1kx7QMwMIxg+dWruSggGHl4dTyl+hlD9PCrkM1dbsxfLt4PB
         MJOkGytdvbrSdVsL7zGPDRPYaD9t00KjxciZtqHbcxQ/bRSAc3kNAqTBnEHbSasNl7xU
         yeB/2oSRUcJOUe5V4hB8WECimZw9PhjWXgmyiR/2hzk84Yj0isV242ErCQfOxqvAKlJe
         yYjZOCZm1c5pyBlZMZG0ePCk+6EYvNqrNGG3KoeT5Ow2E5kn4i5/rTZ7YtXBLyLmL2Bv
         Xpnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=Wr7w3dtotvYQO/Q/74BBr61l0LbM/Z70VXQtzUDIE8k=;
        b=AiykOf6fowHFVS4eADfQbNAFkaF5KHVVwDC20BEFcJDewWahqlhpNShS9o1hROC3EY
         5Rq6in+UTVYLKGR5qzIGCfMzfK5ufaHLv80tGh0iShrlnklNlsXs8g1pxSPc370cbLyw
         kkOEbHFGwfvujIqlx8+EhTD0FlH2PqbYD2u7iZ0QJiHQbHIwsuxXubG+bJcXjSloRocO
         mL/WZaq4eu0TZTXWFS17U18sfcH0lMow6jwXEguzj7uahQgpcCSfI26N/1oLojRe/jWs
         NBVzKQyfxS6jt5z5HKfIXuOZq3WYats/UxnTwpr/vc3SfAoCNnQFeYYNeZAsM2QfE1ex
         LppQ==
X-Gm-Message-State: AOAM531McamrYiuTJbBHfcs2KJZ5BnBiyGNLLanxz4xbwLqV2mItZnVA 32CNG87MEuObv2JKNlGqTm228wUF2glphb15pWG2Hx+OfhFYjA==
X-Google-Smtp-Source: ABdhPJz2gfrGpRxzwOnvBgQL4bWCZK6Ai1EYRdKP5DfILdn9FpSXaRkTochg1PDCjhAJycXGSx8QqQcYEBaGAqNVY3w=
X-Received: by 2002:adf:90e2:: with SMTP id i89mr27585849wri.338.1626657396714; Sun, 18 Jul 2021 18:16:36 -0700 (PDT)
MIME-Version: 1.0
From: Test Account <[email protected]>
Date: Sun, 18 Jul 2021 18:16:25 -0700
Message-ID: <CA+XJ9wVJCfhWGgVe2CYXeTwTvxWqBCowFiDZuOZaKQazKf_CXg@mail.gmail.com>
Subject: DKIM Email Test
To: [email protected]
Content-Type: multipart/alternative; boundary="0000000000004d80d805c76fb0f2"

--0000000000004d80d805c76fb0f2
Content-Type: text/plain; charset="UTF-8"

DKIM Email Test

--0000000000004d80d805c76fb0f2
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">DKIM Email Test</div>

--0000000000004d80d805c76fb0f2--

Solution 1:

The X-Google... headers are specific to Google. Since Google does not instruct you to configure a record for these headers, you can safely ignore them.

If you feel there is a problem with dmarcian, try contacting their support.

Solution 2:

get that autogenerated google DKIM key into our DNS records

There is no need to have this key in your DNS, because your mail being signed by multiple parties is perfectly fine. It being signed by a key used by Google is also perfectly fine in conjunction with your own signature.

Google used these steps to clarify what is going on:

  • they used d=1e100.net to clarify that this key is not found in your domain, but may (or may not) be found in that well-known Google-owned domain
  • they prefixed the header containing that signature with X-Google- to clarify that even though it looks like a DKIM signature, it should not show up in tools except those specifically made to care about such Google-specific headers

get it to apply to the subdomain

If the subdomain and selector are literally called mail, that sounds a bit redundant to me in a place that could (should) convey some meaning. Perfectly valid.. but if it is not what you intended, you should change that before adapting your DKIM configuration about which subdomains to sign for with which keys.

Otherwise, show your current configuration to clarify what it currently does (or does not).