The most common DKIM failures are: missing or incorrect DNS records, expired or rotated keys that weren't updated, body hash mismatches from content modification in transit, selector misconfiguration, and key length issues. Check Authentication-Results headers to identify the specific failure reason, then fix the root cause in DNS or your sending configuration.
Common DKIM Failures and How to Fix Them
How to Read DKIM Failure Messages
Every DKIM failure shows up in the Authentication-Results header. Here's what each result means:
| Result | Meaning |
|---|---|
dkim=pass | Signature verified successfully |
dkim=fail | Signature verification failed |
dkim=neutral | DKIM record exists but doesn't assert anything |
dkim=temperror | Temporary DNS failure |
dkim=permerror | Permanent error in the DKIM record |
dkim=none | No DKIM signature found |
Failure: DNS Record Not Found
Symptom: dkim=fail with "no key for signature"
Cause: The DKIM public key isn't published at the selector._domainkey.yourdomain.com hostname.
Fix:
- Verify the selector in the DKIM-Signature header (
s=tag) - Check that a TXT or CNAME record exists at
[selector]._domainkey.yourdomain.com - If using CNAME, verify the target resolves correctly
dig TXT selector._domainkey.yourdomain.com +short
Practitioner note: The most common version of this: someone sets up DKIM in their ESP, sees the CNAME records, and adds them to the wrong DNS zone. If you manage DNS in multiple places (registrar, Cloudflare, hosting panel), make sure you're editing the active zone.
Failure: Key Mismatch
Symptom: dkim=fail with "signature verification failed"
Cause: The public key in DNS doesn't match the private key used to sign the message. This happens after key rotation if the DNS record wasn't updated, or if the wrong key was published.
Fix: Re-generate the DKIM key pair in your ESP and update the DNS record with the new public key.
Failure: Body Hash Mismatch
Symptom: dkim=fail with "body hash did not verify"
Cause: The email body was modified after signing. See the full body hash mismatch guide for causes and fixes.
Fix: Identify what's modifying the body (mailing list, security gateway, content filter) and either stop the modification or move DKIM signing to happen after it.
Failure: Truncated TXT Record
Symptom: dkim=permerror or signature verification fails
Cause: Your DNS provider truncated the DKIM public key, especially with 2048-bit keys. The record exists but is incomplete.
Fix: Verify the full key is published using dig. If truncated, split into multiple strings or switch to CNAME delegation.
Failure: Expired Key
Symptom: DKIM suddenly stops passing after months of working
Cause: If your ESP rotated their signing key but you haven't updated DNS (relevant for TXT-based setups, not CNAME), the old public key no longer matches.
Fix: Check your ESP dashboard for updated DKIM records and update DNS.
Practitioner note: This is why CNAME-based DKIM is superior for most setups. The ESP can rotate keys without you touching DNS. If you're using direct TXT records, put a reminder on your calendar to check for key rotation every quarter.
Failure: No Signature Present
Symptom: dkim=none — no DKIM-Signature header at all
Cause: The sending server isn't signing outbound email. Either DKIM isn't enabled, or you're sending from a path that bypasses the DKIM signing server.
Fix: Enable DKIM signing in your ESP or mail server. For Google Workspace, you must explicitly enable it in the Admin Console.
Quick Diagnostic Checklist
- Check the
Authentication-Resultsheader for the specific failure - Identify the selector from the
DKIM-Signatureheader (s=tag) - Query DNS:
dig TXT [selector]._domainkey.yourdomain.com +short - Compare the public key in DNS with what your ESP expects
- Check DMARC reports for patterns
If you're seeing persistent DKIM failures and can't identify the cause, I can run a full authentication audit to find and fix every issue.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- RFC 6376 Section 6.1: DKIM Verifier Actions
- M3AAWG: DKIM Best Practices
- dmarcian: Understanding DKIM
v1.0 · April 2026
Frequently Asked Questions
Why is my DKIM failing?
Check the Authentication-Results header for the specific failure. Common causes: DNS record missing, key mismatch, body modified in transit, selector wrong, or TXT record truncated.
How do I check if DKIM is working?
Send an email to a Gmail address, open it, click Show Original, and look for dkim=pass or dkim=fail in the Authentication-Results header.
What does dkim=temperror mean?
A temporary DNS lookup failure. The receiving server couldn't retrieve your DKIM public key. This is usually a DNS availability issue, not a configuration problem. It resolves on its own.
What does dkim=permerror mean?
A permanent error in the DKIM record — malformed syntax, missing required tags, or an invalid key. Check your DNS TXT record for formatting issues.
Can DKIM fail if the email is forwarded?
DKIM survives forwarding if the body isn't modified. Unlike SPF, DKIM is tied to the message content, not the sending IP. But if the forwarder modifies the body, the body hash breaks.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.