DKIM fail: Reasons, types, examples, and how to fix it

Ever sent an email and had it land in the spam folder (despite doing everything right)? It’s downright frustrating, and one of the culprits could be a DKIM fail.

DomainKeys Identified Mail (DKIM) is an essential part of email authentication that guarantees your messages are legitimate and haven’t been tampered with. But when DKIM fails, it can break your email deliverability and security.

A DKIM fail (also seen as dkim=fail or “DKIM authentication failed” in email headers) means the cryptographic signature attached to an outgoing message either couldn’t be verified or wasn’t found at all. This breaks email trust with receiving servers and can hurt deliverability.

Below, we’ll dive into what a DKIM fail is, the different types of DKIM failures, why they happen, and real-world examples. And (most importantly), we’ll show you how to fix and prevent these issues to keep your emails landing safely in inboxes.

What is a DKIM fail?

A DKIM fail occurs when the receiving mail server cannot successfully verify a message’s DKIM signature. This happens when:

1. The signature doesn’t match the public key in DNS
2. No key can be found for the selector specified in the message
3. The email content was modified after signing

The result in the email’s Authentication-Results header is dkim=fail. And depending on the sending domain’s DMARC policy, that can mean the message gets quarantined or rejected.

Types of DKIM fails

1. Signature mismatch

This occurs when the DKIM signature in the email header doesn’t match the public key published in the DNS record. This mismatch can be due to incorrect configuration or changes in the email content that invalidate the signature.

Impact: Emails may be flagged as spam or rejected outright by the recipient’s mail server.

2. Key not found

This happens when the public key required to validate the DKIM signature isn’t found in the DNS. It can occur if the DKIM selector used in the email doesn’t correspond to any key published in the DNS.

Impact: The email fails DKIM validation, potentially leading to deliverability issues.

3. Expired key

If the DKIM key has expired and hasn’t been updated, any email signed with that key will fail validation.

Impact: Emails will fail DKIM checks and may not reach the intended recipients.

4. DNS issues

Problems with DNS resolution (such as DNS propagation delays or misconfigurations) can lead to a situation where the DKIM key can’t be retrieved to validate the signature.

Impact: Temporary DKIM validation failures affect email deliverability until the DNS issues are resolved.

5. Incorrect configuration

Incorrectly configured DKIM settings (such as wrong key length or improperly formatted records) can cause validation to fail.

Impact: Persistent DKIM failures until the configuration is corrected.

If your DKIM is failing and you need more insights, use Valimail’s free DKIM checker to help troubleshoot.

6. Body hash did not verify

This is one of the most specific and commonly searched DKIM error messages: dkim=fail (body hash did not verify). It means the hash of the message body calculated at delivery doesn’t match the body hash (bh=) included in the DKIM-Signature header.

Something changed the message content between signing and delivery.

Common causes include SEGs (Secure Email Gateways) or anti-virus tools that append disclaimers or footers to outbound email after signing, email clients that modify content encoding in transit, and HTML email with inconsistent whitespace handling.

Check whether any system between the mail server and delivery is modifying message content after signing. The most common fix is switching DKIM canonicalization from simple/simple to relaxed/relaxed, which tolerates minor whitespace and header changes without breaking the signature. If a footer or disclaimer is being appended, configure it to be added before DKIM signing, not after.

Impact: The DKIM signature is cryptographically invalid. Even if the public key is found and valid, the message fails DKIM.

7. No key for signature (dkim=fail no key for signature)

dkim=fail (no key for signature) means the receiving server looked up the DKIM public key using the selector and domain in the DKIM-Signature header and found nothing in DNS. The record doesn’t exist at that location.

Common causes include publishing the DKIM record under the wrong subdomain (forgetting ._domainkey or using the wrong selector name), DNS propagation delays after publishing a new record, and stale DKIM records that were removed without updating the email server’s signing configuration.

Verify that the selector in your email server’s DKIM configuration matches a published TXT record at [selector]._domainkey.[yourdomain.com]. Run a DNS lookup or use a DKIM checker to confirm the record exists and is reachable. If you recently updated selectors, allow time for DNS propagation before sending signed messages.

Impact: DKIM fails entirely. Without a public key to verify against, the signature cannot be checked.

Examples (and resolutions) of DKIM failures

These real-world examples show how and why DKIM fails happen. Here are a few common scenarios where DKIM fails (and why it happened):

Misconfigured DNS records

• Scenario: A university updates its email system and generates a new DKIM key. However, they accidentally enter the wrong selector in the DNS record.
• Result: All emails signed with the new DKIM key fail validation because the public key cannot be found using the incorrect selector.
• Solution: The university needs to update the DNS record with the correct selector corresponding to the new DKIM key.

Email content modified by forwarding

• Scenario: A marketing agency sends out a campaign email that passes DKIM validation. A recipient forwards the email through their email client, which appends a disclaimer to the email body.
• Result: The forwarded email fails DKIM validation because the original content has been altered.
• Solution: The agency should educate recipients about the potential issues with forwarding DKIM-signed emails or use a service that preserves the DKIM signature during forwarding.

Expired DKIM key

• Scenario: A nonprofit organization forgets to update its DKIM key, which expires after a year.
• Result: All outgoing emails signed with the expired key fail DKIM validation.
• Solution: The organization needs to implement a key rotation schedule and update the DKIM key in the DNS before it expires.

DNS propagation delays

• Scenario: A tech startup rolls out a new DKIM key but starts using it to sign emails immediately after updating the DNS records.
• Result: During the DNS propagation period, some email providers cannot find the new public key, leading to DKIM failures.
• Solution: The startup should wait for DNS propagation to complete before using the new DKIM key to sign emails.

Key length mismatch

• Scenario: A large corporation upgrades its DKIM key from 1024 bits to 2048 bits but accidentally publishes the 1024-bit public key in the DNS.
• Result: Emails signed with the 2048-bit private key fail DKIM validation because the public key length doesn’t match.
• Solution: The corporation needs to double-check that the correct 2048-bit public key is published in the DNS.

Inconsistent email header

• Scenario: A financial institution configures its email server to add a security header to outgoing emails after they are signed with DKIM.
• Result: The DKIM signature fails because the email headers are inconsistent with those present at the time of signing.
• Solution: The institution must adjust its email server settings to add headers before DKIM signing or reconfigure the DKIM process to account for all headers.

Unauthorized sending source

• Scenario: A school district notices that emails claiming to be from their domain are failing DKIM checks and ending up in spam folders.
• Result: Investigation reveals that an unauthorized third-party service is sending emails using the school’s domain without proper DKIM signing.
• Solution: The district must identify and shut down the unauthorized service or guarantee it is properly configured to use the school’s DKIM keys.

How to fix DKIM failures

Fixing and preventing DKIM failures requires a proactive approach and regular maintenance. Here are some practical steps to make it happen:

1. Regularly Update DKIM Keys: Regularly update your DKIM keys to avoid expiration. Set reminders or use automated tools to manage key rotation. Keep track of the expiration dates for your DKIM keys and plan updates well in advance to prevent any lapses in authentication.
2. Double-check DNS Configurations: Guarantee your DNS records are correctly configured with the appropriate selectors and key lengths. Use DNS diagnostic tools to verify your settings and detect any misconfigurations. Check that the key lengths for your private and public keys match and adhere to recommended standards (typically 1024 or 2048 bits). Keys shorter than 1024 bits are considered a security risk and leave your domain vulnerable. That’s where Valimail’s DKIM Continuous Protection can come in to offer uninterrupted protection for your domain.
3. Avoid Content Changes Post-Signing: Don’t modify the email content after signing it with DKIM. This includes avoiding changes by intermediate servers, email forwarding services, or security tools that alter the email body or headers.
4. Allow Time for DNS Propagation: When updating DKIM keys, allow sufficient time for DNS propagation before using the new keys to sign emails. This wait allows the new public key to be accessible to all email providers. Use tools to monitor DNS propagation status and confirm that the new records are accessible globally.
5. Conduct Regular Security Audits: Perform regular security audits of your email authentication setup to identify vulnerabilities and areas for improvement. This includes checking the configuration of DKIM, SPF, and DMARC records. Stay informed about the latest email security best practices and update your authentication protocols accordingly.

Say “goodbye” to DKIM fails with Valimail

DKIM fails can be a major headache, impacting your email deliverability and compromising your security. From misconfigured DNS records to expired keys, the challenges can go on and on.

However, understanding the causes of these failures and knowing how to address them can improve your email authentication process. And we can help.

With Valimail, you can say “goodbye” to DKIM fails for good. Our automated solutions simplify the setup and management of DKIM to guarantee your emails are properly authenticated every time, even after you reach DMARC enforcement.

Here’s how Valimail can help:

• Automated Configuration: Valimail takes the guesswork out of setting up DKIM. Our platform automates the configuration process to keep your DNS records correct and up-to-date.
• Real-Time Monitoring: Monitor your email authentication status in real-time. Valimail provides instant alerts if any issues arise to help you address them quickly.
• Expert Support: Our team of email authentication experts is here to help. Whether you’re troubleshooting a DKIM failure or fine-tuning your email security strategy, Valimail provides the support you need.
• Comprehensive Solutions: Beyond DKIM, Valimail supports a full suite of email authentication protocols, including SPF, DMARC, and BIMI.

Don’t let DKIM fails mess up your email communications. Talk to a Valmail DKIM expert for free to troubleshoot these DKIM issues and secure your inbox.

Frequently asked questions