feat(googleworkspace): add gmail_dkim_enabled_all_domains security check

[puchy22]

Context

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email headers, allowing receiving servers to verify that messages genuinely originate from the domain and were not altered in transit. Without DKIM, attackers can more easily spoof the organization's domains, increasing the risk of phishing, business email compromise, and reduced mail deliverability. Many receiving mail servers require DKIM to trust inbound messages, so missing DKIM records can also cause legitimate emails to be flagged or rejected.

Description

This check evaluates whether every mail-enabled domain in the Google Workspace tenant has DKIM signing enabled and authentication started. Because no public Admin SDK/API endpoint exposes the Gmail DKIM authentication status, the check returns a MANUAL status directing the administrator to verify DKIM configuration in the Admin Console (Apps > Google Workspace > Gmail > Authenticate email) and confirm via DNS TXT record lookup (e.g., dig TXT google._domainkey.<domain>). The recommended remediation is to generate and activate a 2048-bit DKIM signing key for each mail-enabled domain and publish the corresponding DNS TXT record.

Steps to review

1. Review the check implementation at prowler/providers/googleworkspace/services/gmail/gmail_dkim_enabled_all_domains/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/googleworkspace/ to ensure the check is correctly mapped to relevant requirements
4. Run the check tests: poetry run pytest tests/providers/googleworkspace/services/gmail/gmail_dkim_enabled_all_domains/ -v
5. Run the check against a real environment (if possible):

   prowler googleworkspace --check gmail_dkim_enabled_all_domains

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• gmail_dkim_enabled_all_domains (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace

Use the no-compliance-check label to skip this check.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.34%. Comparing base (329dfdf) to head (dbab48e).
⚠️ Report is 18 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11381      +/-   ##
==========================================
+ Coverage   93.96%   96.34%   +2.38%     
==========================================
  Files         237       94     -143     
  Lines       34901     2542   -32359     
==========================================
- Hits        32793     2449   -30344     
+ Misses       2108       93    -2015     

Flag	Coverage Δ
api	?
prowler-py3.10-googleworkspace	96.34% <100.00%> (?)
prowler-py3.11-googleworkspace	96.34% <100.00%> (?)
prowler-py3.12-googleworkspace	96.34% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	96.34% <98.77%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:6d0c8af
Last scan: 2026-05-28 09:31:10 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	13
Total	13

8 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy