The Messaging Gateway (SMG) Message Audit Logs show the following status in the DKIM results validation tab:

temperror (key unavailable)

Messaging Gateway is unable to retrieve the recipient DKIM records in the DNS. This may be due to one or more of the following:

• The records do not exist in the DNS
• The configured DNS servers in Administration > Configuration > host > DNS / Time are either inaccessible or not responding as expected
• Messaging Gateway has been configured to use one or more public, rate limited DNS servers
• DNS servers are responding slowly to queries

Confirm that the DNS servers configured in Administration > Configuration > host > DNS / Time are responding as expected

1. Log into the Messaging Gateway command line as admin
2. Query the configured nameserver directly for a known good domain with the correct selector by appending the nameserver IP to the nslookup command. For example:

   nslookup -type=txt selector._domainkey.example.com 10.0.0.0

3. Repeat this for each nameserver configured in Administration > Configuration > host > DNS / Time to ensure that all nameservers are responsive

Confirm that the expected records are in the DNS

1. Log into the Messaging Gateway command line as admin
2. Query the DNS for the MX and A records for the destination domain:

   nslookup -type=txt selector._domainkey.example.com

3. A NXDOMAIN response means that the expected DKIM record does not exist in the DNS

   nslookup -type=mx example.com
   Server:         127.0.0.1
   Address:        127.0.0.1#53
   
   ** server can't find selector._domainkey.example.com: NXDOMAIN

Ensure that SMG is not configured to use public, rate limited DNS servers

• Using public DNS servers for Messaging Gateway

Disable unnecessary services on SMG that generate a high volume of DNS queries, such as URL reputation and reverse DNS lookups.