/>
Email Security

DKIM Failures: Troubleshooting DKIM Authentication Problems

DKIM Troubleshooting Guide

DKIM (DomainKeys Identified Mail) failures can be tricky to diagnose because they involve cryptographic signatures and DNS records. This guide covers the most common DKIM issues and how to resolve them.

Issue: DKIM Key Not Found

Symptoms

  • DKIM returns permerror or neutral
  • Error message says "No key found" or "DNS query failed"
  • DKIM signature is present but verification fails

Causes

  1. Wrong selector — The selector in the signature doesn't match what's in DNS
  2. Missing DNS record — The public key hasn't been published
  3. Propagation delay — A new DNS record hasn't propagated yet

Solution

  1. Find the selector from the email headers:
DKIM-Signature: ... s=selector1; d=example.com; ...
  1. Verify the DNS record exists:
nslookup -type=txt selector1._domainkey.example.com
  1. If missing, add the DKIM public key to DNS:
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0..."
  1. Wait for propagation if newly added (see DNS Propagation)

Issue: DKIM Signature Invalid

Symptoms

  • DKIM returns fail
  • Error message says "Signature verification failed" or "Body hash mismatch"

Common Causes

Email gateways that modify content after signing:

  • Security scanning that adds headers or footers
  • Disclaimer text appended to the message body
  • Character encoding changes

Mailing lists that modify messages:

  • Subject line prefixes (e.g., [listname])
  • Footer additions
  • Reply-to header modifications

Solutions

For email gateways:

  1. Configure the gateway to preserve DKIM signatures
  2. Or arrange for re-signing after modification

For mailing lists:

  1. Accept that DKIM will fail on forwarded mail from lists
  2. Rely on the mailing list's own authentication
  3. Use ARC (Authenticated Received Chain) if supported

Issue: DKIM Not Enabled

Symptoms

  • No DKIM signature in outgoing emails
  • DKIM returns none
  • DMARC failing due to missing DKIM authentication

Solution

Enable DKIM signing in your email service:

Google Workspace:

  1. Admin Console → Apps → Google Workspace → Gmail
  2. Authenticate email → Generate new record
  3. Add the TXT record to DNS
  4. Start authentication

Microsoft 365:

  1. Microsoft 365 Defender → Email & collaboration
  2. Policies & rules → Threat policies → Email authentication
  3. Enable DKIM signing for your domain

SendGrid:

  1. Settings → Sender Authentication
  2. Authenticate Your Domain
  3. Follow the DNS setup instructions

Mailchimp:

  1. Account → Settings → Domains
  2. Verify & Authenticate
  3. Add the DKIM record to DNS

Issue: DKIM Alignment Failure

Symptoms

  • DKIM passes but DMARC still fails
  • The alignment check fails specifically
  • Different domains in the DKIM signature and From header

Cause

The d= domain in the DKIM signature doesn't match the From header domain:

From: sales@example.com
DKIM-Signature: d=thirdparty.com ...

Solution

Configure the sending service to sign with your domain:

  1. Find custom DKIM settings in your email service
  2. Generate keys for your domain instead of the service's domain
  3. Add the public key to your domain's DNS
  4. Verify the signature now uses your domain's d= value

Correct alignment:

From: sales@example.com
DKIM-Signature: d=example.com ...

Issue: DKIM Key Size Too Small

Symptoms

  • DKIM verification fails with a security error
  • "Key too small" or "weak key" errors
  • Works with some receivers but fails with others

Cause

DKIM key is 512 bits or smaller. Many receivers now require 1024-bit or larger keys.

Solution

  1. Generate a new 2048-bit RSA key pair
  2. Update DNS with the new public key
  3. Configure your email service with the new private key
  4. Test and verify the new key works
  5. Remove the old DNS record after confirming

Note: Some DNS providers have TXT record length limits. For 2048-bit keys, you may need to split the record into multiple strings.

Issue: DKIM Record Syntax Errors

Common Errors

Missing version tag:

# Wrong
k=rsa; p=MIGfMA0...

# Correct
v=DKIM1; k=rsa; p=MIGfMA0...

Truncated public key:

# Wrong (incomplete)
v=DKIM1; k=rsa; p=MIGfMA0

# Correct (complete key)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...

Invalid characters or formatting:

# Wrong (extra spaces around semicolons)
v=DKIM1 ; k=rsa ; p=MIGfMA0...

# Correct
v=DKIM1; k=rsa; p=MIGfMA0...

Diagnostic Steps

  1. Check email headers for the DKIM-Signature header
  2. Extract the selector and domain from the signature (s= and d= tags)
  3. Query DNS for the public key at selector._domainkey.domain.com
  4. Validate key format using online tools
  5. Review DMARC reports for DKIM failure patterns across sending sources

Prevention Tips

  1. Use 2048-bit keys for all new DKIM implementations
  2. Document selectors and which service uses which selector
  3. Test after changes before announcing success
  4. Monitor DMARC reports for DKIM failure trends
  5. Plan key rotation procedures in advance

Next Steps