How do you test or validate a DKIM signature?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Validating a DKIM signature means confirming that the cryptographic signature on your outgoing email actually checks out: the body wasn't altered in transit and the key in your DNS matches what your sending server signed with. Here's how to do it.

Easiest: read the Authentication-Results header

Send any email from your platform to a Gmail account you control. Open the original message source (three-dot menu in Gmail, "Show original"). Near the top you'll see an Authentication-Results line:

dkim=pass header.i=@yourdomain.com header.s=selector

dkim=pass means the signature validated. dkim=fail means the hash didn't match. dkim=none means no signature was found. Paste the full header into our email header analyzer if you'd rather skip the raw text.

What the signature itself contains

Every DKIM-signed email carries a DKIM-Signature header. Two fields matter for validation:

  • bh=: the hash of the email body, computed at send time. If the body changed in transit, this won't match when the receiver recomputes it.
  • b=: the signature over the selected headers plus the body hash, encrypted with your private key. The receiver decrypts it using your public key from DNS. If they match, the signature is valid.

Still you don't verify these manually. That's the receiver's job. But if you're seeing dkim=fail and the signature header is present, it usually means: wrong selector, a key mismatch, or a header or body modification somewhere in the mail path.

Checking the DNS side

From the command line:

dig TXT selector._domainkey.yourdomain.com +short

Replace "selector" with the one named in your DKIM-Signature header (s= field). You should see a record starting with v=DKIM1. Our DKIM checker does the same lookup without the terminal.

If DKIM passes Gmail but fails at another provider, check your canonicalization mode. Some mail paths reformat headers or add spaces, which breaks signatures set to simple mode. Relaxed mode handles this better. If you're stuck, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Diagnose My DKIM Signature

I just read the Email Almanac entry on testing DKIM signatures. Help me validate my specific DKIM setup and troubleshoot why it's passing or failing. Walk me through: 1. Sending a test and reading the Authentication-Results 2. What my dkim=fail means (key mismatch, missing record, or in-transit modification) 3. Whether my bh= and b= values suggest a signing or transit problem 4. What to check if it passes Gmail but fails at other providers --- My details (fill in what applies): - Sending domain: your domain - DKIM selector (from the DKIM-Signature header, s= field): selector name - Authentication-Results from a test email: paste dkim= result - Where it's failing: Gmail / Outlook / Yahoo / all / specific receiver - Whether the DKIM-Signature header is present at all: yes / no / unsure - Canonicalization mode (if you know): simple / relaxed / unsure

Edit the yellow boxes, then send to the AI of your choice.