DKIM Fail: Troubleshooting DKIM Authentication Errors

Email Authentication

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, letting recipients verify the message wasn't altered in transit. When DKIM fails, it means the signature couldn't be verified — either because the signature is invalid, the public key can't be found, or the message was modified after signing.

DKIM Failure Types

When a mail server checks DKIM, it returns one of these results:

Common DKIM Failure Causes

1. No DKIM Record Published

The sending service signs emails, but you haven't added the public key to DNS.

How to check: Use DKIM Test with your domain and selector.

Fix:

1. Get the DKIM DNS record from your email service
2. Add it to your domain's DNS
3. Verify it's published correctly

2. Wrong Selector

DKIM uses selectors to find the right public key. If the selector in the signature doesn't match your DNS record, verification fails.

DKIM-Signature: s=google; d=company.com; ...

This looks for the key at: google._domainkey.company.com

Common selectors:

• Google Workspace: google
• Microsoft 365: selector1, selector2
• SendGrid: s1, s2
• Mailchimp: k1

Fix: Verify the selector matches between your email service settings and DNS record.

3. Key Mismatch

The public key in DNS doesn't match the private key used to sign. This happens when:

• Keys were rotated but DNS wasn't updated
• Wrong key was copied to DNS
• Keys were regenerated without updating both sides

Fix: Regenerate DKIM keys in your email service and update DNS with the new public key.

4. Message Modified in Transit

DKIM signs specific parts of the email. If those parts change after signing, verification fails:

• Content filters adding headers or footers
• Mailing lists modifying the message body
• Forwarding services altering headers
• Anti-virus scanners modifying content

Common culprits:

• Corporate email gateways
• Mailing list software
• Auto-forwarders

Fix: This often can't be "fixed" — it's inherent to how these services work. Rely on ARC (Authenticated Received Chain) for forwarding chains.

5. DNS Propagation Issues

After adding or updating DKIM records, DNS changes take time to propagate. During this window, some servers won't find the new key.

Fix: Wait 24-48 hours for full propagation. Lower TTL values before making changes if possible.

6. DKIM Record Syntax Errors

Invalid characters, formatting errors, or truncated records cause permerror:

# Broken (truncated or malformed)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

# Correct (complete key)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsR8rRwZ...complete...key==

Common issues:

• Public key truncated when copying
• Extra whitespace or line breaks
• Missing or incorrect tags

7. DKIM Key Too Short

Older 512-bit keys are considered insecure. Some receivers reject them:

Authentication-Results: dkim=policy (weak key)

Fix: Regenerate with 2048-bit keys (recommended minimum).

8. CNAME vs TXT Record Issues

Some email services use CNAME records to point to their DKIM key. If you add it as TXT instead (or vice versa), it won't work.

Example (SendGrid uses CNAME):

s1._domainkey.company.com CNAME s1.domainkey.u12345.wl.sendgrid.net

Fix: Use the exact record type specified by your email service.

Diagnosing DKIM Failures

Check Email Headers

Failed emails show DKIM results in headers:

Authentication-Results: mx.google.com;
       dkim=fail (signature verification failed)
       header.i=@company.com header.s=selector1

Key information:

• dkim=fail — verification failed
• header.s=selector1 — the selector used
• header.i=@company.com — signing domain

Test Your DKIM Setup

Use DKIM Test to check:

• Record exists at the right location
• Public key is valid
• No syntax errors

Verify Selector and Domain Match

The signature's d= and s= values must match your DNS record location:

• Signature: d=company.com; s=google
• DNS record must be at: google._domainkey.company.com

Fixing DKIM Failures

Step 1: Identify the Signing Service

Which service sends emails that are failing DKIM?

• Your corporate email (Google, Microsoft)
• A marketing platform (Mailchimp, HubSpot)
• A transactional email service (SendGrid, Postmark)

Step 2: Get the DKIM Configuration

In your email service's dashboard:

1. Find DKIM settings
2. Generate or locate existing keys
3. Copy the required DNS record(s)

Step 3: Add DNS Records

Add the record exactly as provided:

• Use the correct record type (TXT or CNAME)
• Include the complete public key
• Use the exact selector specified

Step 4: Enable DKIM Signing

Some services require you to explicitly enable DKIM:

• Toggle DKIM signing on
• Verify the domain in the service's dashboard
• Wait for verification to complete

Step 5: Test

Send a test email and check:

• Headers show dkim=pass
• The correct selector was used
• The signature domain matches your From domain

DKIM and Multiple Senders

Each service needs its own DKIM setup:

Multiple DKIM records don't conflict — each uses a different selector.

DKIM Key Rotation

DKIM keys should be rotated periodically:

1. Generate new keypair in your email service
2. Add new public key to DNS (new selector)
3. Wait for DNS propagation (24-48 hours)
4. Switch to new key for signing
5. Remove old public key after transition period

Some services handle rotation automatically. Others require manual intervention.

DKIM Body Hash Errors

The error "DKIM body hash did not verify" means the message body changed after signing:

Authentication-Results: dkim=fail (body hash did not verify)

Causes:

• Content filters modifying the message
• Character encoding changes
• Line ending conversions
• Attachment processing

Solutions:

• Check for content modification in your email pipeline
• Configure filters to add to headers rather than modify body
• Use l= (body length) tag cautiously

Related Articles

---

Monitor DKIM Automatically

The Email Deliverability Suite monitors your DKIM records, SPF, DMARC, MX records and blacklist status daily. Get alerts when DKIM configuration breaks — before your emails start failing.