Somewhat shockingly, email remains central to the daily lives of nearly every user of the modern internet. This ancient protocol, largely unchanged from the 90s, is so susceptible to scammery and spammery that large email providers remain in a virtual arms race with shadowy super coders running vast botnets and bored "script kiddies" to keep our inboxes managable.
Sender Policy Frameworks (SPF) and DomainKey Identified Mail (DKIM) are two mechanisms we've created to help with this effort. The former helps prevent spammers from sending messages that appear to come from one address (eg, email@example.com) when they actually come from another (eg, firstname.lastname@example.org), and the latter is a way of digitally signing email to prove the message was sent and authorized by the owner of a domain.
A friend recently asked if I could look into a very strange issue with her email. She has a custom domain with a "Google Workspace" so her email looks custom but is in fact managed by Google. Strangely, emails she sent to Apple's iCloud email users would get bounced back by Apple's mailservers as spam. A quick peek at the Google Workspace configuration appeared to confirm that it was configured properly - MX, SPF, and DKIM records set automatically by Google's integrated domain name registration and configuration systems and looking like exactly what I'd expect.
Digging deeper, however, I found that something on Google's end had gone wrong, and the DKIM record was not in fact set in the DNS records. It wasn't clear how to reset this process, so I took a shot in the dark and tried adding the same record Google claimed to have set manually. After a dramatic 12 hours in which it seemed like my attempt had failed, DNS propagation finally worked its magic and my friend was able to email her long-lost friends in the Appleverse.
This ordeal was a great reminder that the work to make new technology scam-resistent is never-ending - a constant race to stay ahead of those who would do us harm online. Hopefully this post helps some future searcher struggling to understand this very strange bug. To that searcher - good luck!