DKIM fails with SES receiving

DKIM (DomainKeys Identified Mail) is an email authentication method that allows the receiver to check if email headers and content have been altered. When SES is receiving your emails, it will verify DKIM by checking the DKIM-Signature headers and comparing them with the public key stored in your DNS records.

Here are a few possible reasons why the DKIM check might be failing:

• DNS Propagation: It can take up to 48 hours for the DNS changes to propagate fully. If you've recently enabled DKIM and added the TXT records to your DNS, you might need to wait a bit longer.

• Incorrect DKIM Record: You should double-check the DKIM record. The selector, domain, and public key must match exactly what is in the Google workspace DKIM settings.

• Multiple DKIM Records: If there are multiple DKIM records for your domain, it could be causing issues. Make sure there are no old or incorrect DKIM records in your DNS.

• Message Alteration: If the message content or headers are altered after being signed, the DKIM check will fail. Make sure there are no systems or services modifying the message after it's signed.

• DKIM Alignment: DKIM alignment requires the d= domain in the DKIM-Signature header to match the From: domain. If these don't match, it could cause a DKIM alignment failure.

You can use online tools to check your DKIM records and make sure they are set up correctly.

Also, you can use the "Show original" option in Gmail (or similar options in other email clients) to see the original email headers and content. This can help you understand why the DKIM check is failing.

DKIM passed when sending a blank email from a mail service other than gmail.
So, I presume that DKIM authentication will probably fail because the gmail browser version client edits the body when the email is empty.