Hi @Susan Dodds
Do you have an Exchange hybrid deployment and all outbound emails are routed through Exchange Online to internet?
I have owa.contoso.com as my email domain and is my custom domain in the microsoft portal. I do not have just contoso.com as a domain on my admin portal.
According to the NDR message from Google, your email domain is contoso.com.
Have you enabled DKIM for contoso.com following this link?
Use DKIM to validate outbound email sent from your custom domain
Do you have your on-premises Exchange server's ip address in the SPF record?
Set up SPF to help prevent spoofing
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.