How do I troubleshoot DKIM signature validation failures?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
DKIM failures can be frustrating because they don't always have an obvious cause. They show up in the Authentication-Results header of the received email, but that header only tells you it failed, not why. Here's how to work through the likely causes.
Start with the DNS record itself. Use our free DKIM record lookup to confirm the public key is published and the record is formatted correctly. Hidden characters, extra spaces, or line breaks introduced during copy-pasting are surprisingly common causes of DKIM failures. The record has to be a single continuous string.
Check the selector. Your DKIM signature specifies a selector (like s1._domainkey.yourdomain.com). If your sending system switched selectors during a key rotation and the old selector was removed before everything migrated, messages signed with the old selector will fail. Confirm you're signing with a selector that's still published in DNS.
Look for message modification. DKIM signs over specific headers and the message body. If a mailing list, forwarder, or security gateway modifies any signed part (adding footers, rewriting headers, changing the subject), the hash won't match and DKIM fails. This isn't your misconfiguration, it's the intermediary's modification. ARC exists partly to address this scenario.
Verify the key pair matches. If your private key changed (after a rotation, or if your ESP regenerated it) and the public key in DNS wasn't updated to match, signatures will fail everywhere. Generate a fresh DKIM signature with your current private key and check it validates against your published public key.
Check for multiple DKIM signatures. Some systems add their own DKIM signature on top of yours. Both signatures are valid, but if a relay modifies headers that only one signature covers, you can get a partial pass. Look at all DKIM-Signature headers in the raw email source to see what's signing what.
If you can't isolate the cause, our email header analyzer can parse raw headers and surface what the authentication results look like at each hop.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.