DKIM Errors: Troubleshooting Permerror and Temperror
Fix common DKIM errors including permerror, temperror, body hash verification failures, and signature validation problems with step-by-step troubleshooting.
DKIM errors in email headers can be cryptic. Whether you're seeing "DKIM permerror," "body hash did not verify," or "signature verification failed," this guide explains what each error means and how to fix it.
Understanding DKIM Results
When receivers check DKIM, they get one of these results:
| Result | Meaning | Severity |
|---|---|---|
| pass | Signature valid, key verified | None—working correctly |
| fail | Signature invalid or verification failed | High—needs fixing |
| permerror | Permanent configuration error | High—needs fixing |
| temperror | Temporary error (DNS timeout) | Medium—may self-resolve |
| neutral | DKIM not applicable | Low |
| none | No DKIM signature present | Medium—should sign |
DKIM Permerror
A permerror indicates a permanent problem with your DKIM configuration.
Common Causes
1. Key not found in DNS
dkim=permerror (no key for signature)
The selector in the DKIM signature doesn't exist in DNS.
Fix: Verify the DNS record exists at selector._domainkey.example.com
2. Invalid key format
dkim=permerror (key syntax error)
The DKIM public key in DNS has formatting issues.
Fix: Check for:
- Missing
v=DKIM1tag - Corrupted
p=value - Extra characters or line breaks
3. Selector mismatch
dkim=permerror (selector not found)
The signature references a selector that doesn't match your DNS record.
Fix: Ensure the s= tag in signatures matches your DNS selector name.
Diagnosing Permerror
Find the selector from email headers
Look for s= in the DKIM-Signature header: s=selector1
Find the domain from email headers
Look for d= in the DKIM-Signature header: d=example.com
Query DNS for the key
dig +short TXT selector1._domainkey.example.com
Verify key syntax
Should start with v=DKIM1 and have a p= value.
DKIM Temperror
A temperror is a temporary failure, usually DNS-related.
Common Causes
1. DNS timeout
dkim=temperror (DNS lookup timed out)
The receiving server couldn't query your DNS in time.
Not directly fixable — Depends on network conditions.
2. DNS server issues
dkim=temperror (DNS server error)
Your DNS provider had a temporary outage.
Fix: Monitor your DNS provider; consider using multiple DNS providers.
Reducing Temperrors
- Use reliable DNS hosting
- Set appropriate TTLs (not too low)
- Monitor DNS availability
- Consider DNS redundancy
Most temperrors resolve on retry. If they persist, investigate DNS infrastructure.
Body Hash Verification Failed
dkim=fail (body hash did not verify)
This error means the message body changed after DKIM signing.
Common Causes
1. Email content modified in transit
Intermediate servers adding:
- Footers or disclaimers
- Tracking pixels
- Security warnings
- Encoding changes
2. Line ending changes
Different systems use different line endings:
- Unix: LF (
\n) - Windows: CRLF (
\r\n) - Email standard: CRLF
3. Character encoding issues
Conversion between character sets can alter the body.
Fixes for Body Hash Failures
For email systems you control:
- Move disclaimer additions before DKIM signing
- Ensure DKIM signing is the last step before sending
- Check for content-altering security appliances
For forwarding issues:
- This is expected when email is forwarded
- DKIM body hash will fail
- DMARC should rely on SPF for forwarded mail
Signature Verification Failed
dkim=fail (signature verification failed)
The cryptographic signature didn't match.
Common Causes
1. Public/private key mismatch
The private key used for signing doesn't match the public key in DNS.
Fix: Regenerate and republish the key pair.
2. Key was rotated
The old signature was made with a key that's been replaced.
Fix: Keep old keys in DNS during transition periods.
3. Headers modified
Headers listed in h= tag were changed after signing.
Fix: Identify which headers were modified and prevent changes.
Checking Key Match
Get the signing domain and selector from headers:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...
Query the public key:
dig +short TXT selector1._domainkey.example.com
Verify the key is valid and complete.
No DKIM Signature
dkim=none (no signature)
The email wasn't signed with DKIM at all.
Common Causes
- DKIM not enabled in your email service
- Signing disabled for certain message types
- Misconfiguration of signing rules
Fixes
For email services (Gmail, Outlook, etc.):
- Check account settings for DKIM
- Enable DKIM signing in admin console
For ESPs (SendGrid, Mailchimp, etc.):
- Complete domain authentication setup
- Verify DNS records are published
For self-hosted servers:
- Install and configure DKIM (OpenDKIM, etc.)
- Verify signing is enabled in config
- Check mail server logs for signing errors
Error-Specific Troubleshooting
"Key too small"
dkim=fail (key too small: 512 bits)
Your DKIM key is too weak.
Fix: Generate a new 2048-bit key and update DNS.
"Algorithm not supported"
dkim=fail (unsupported algorithm)
Using an old or unsupported signing algorithm.
Fix: Use rsa-sha256 (most compatible) or ed25519 (newer).
"Signature expired"
dkim=fail (signature expired)
The DKIM signature has an expiration (x= tag) that passed.
Fix: Either extend expiration or remove the x= tag.
"Invalid tag"
dkim=permerror (invalid tag-value syntax)
The DKIM signature or DNS record has a syntax error.
Fix: Review the DKIM signature and DNS record for typos or formatting issues.
Debugging Checklist
| Issue | Check | Solution |
|---|---|---|
| Key not found | DNS record exists? | Publish DKIM key at selector._domainkey.domain |
| Key syntax error | Valid format? | Ensure v=DKIM1; k=rsa; p=... |
| Body hash fail | Content modified? | Sign after all modifications |
| Signature fail | Keys match? | Regenerate key pair |
| No signature | DKIM enabled? | Enable in email service |
Testing DKIM
After making changes:
Verify DNS record
Use dig or online tools to check the record is published.
Send test email
Send to yourself at Gmail, Yahoo, or another major provider.
Check headers
Look for dkim=pass in Authentication-Results.
Use DKIM validators
Online tools can verify signature and key matching.
DNS changes can take up to 48 hours to propagate. Test from multiple locations.
Check Your DKIM Configuration
Verify your DKIM record is properly published and your signatures are valid.
DKIM errors are often configuration issues that are straightforward to fix once identified. Work through the checklist systematically—most issues come down to DNS records, key matching, or content modification.