DKIM Signature Verification: How to Read DKIM Headers

Understanding DKIM Verification

When email arrives, receiving servers:

1. Extract the DKIM-Signature header
2. Look up the public key using the selector and domain
3. Verify the cryptographic signature matches the message
4. Record the result in Authentication-Results

Reading the DKIM-Signature Header

Every DKIM-signed email contains this header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=example.com; s=google;
    h=from:to:subject:date:message-id;
    bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
    b=dGVzdCBzaWduYXR1cmUgaGVyZQ==

Tag Breakdown

Tag	Meaning	Example
v=	Version (always 1)	v=1
a=	Algorithm	a=rsa-sha256
c=	Canonicalization	c=relaxed/relaxed
d=	Signing domain	d=example.com
s=	Selector	s=google
h=	Signed headers	h=from:to:subject:date
bh=	Body hash	Base64-encoded hash
b=	Signature	Base64-encoded signature

Signing Domain (d=)

The domain responsible for the signature. This is what DMARC alignment checks against.

d=example.com

This should match (or be a subdomain of) your From address domain for DMARC alignment.

Selector (s=)

Identifies which public key to use for verification:

s=google

The public key is looked up at google._domainkey.example.com.

Signed Headers (h=)

Lists which headers are included in the signature:

h=from:to:subject:date:message-id

If these headers are modified after signing, verification fails.

Canonicalization (c=)

Defines how message is normalized before signing:

Type	Header/Body	Tolerance
simple	Strict	No modifications allowed
relaxed	Flexible	Whitespace changes OK

Format: c=header/body

relaxed/relaxed is most common—tolerates minor formatting changes during transit.

Reading Authentication-Results

Receiving servers add this header with verification results:

Authentication-Results: mx.google.com;
    dkim=pass [email protected] header.s=google header.b=dGVzdC;
    spf=pass (google.com: domain of [email protected] designates 192.0.2.1 as permitted sender) [email protected]

DKIM Result Values

Result	Meaning
pass	Signature verified successfully
fail	Signature verification failed
none	No DKIM signature present
neutral	Signature exists but couldn't be verified
policy	Signature not acceptable due to policy
temperror	Temporary error (DNS timeout, etc.)
permerror	Permanent error (malformed signature)

Additional DKIM Fields

[email protected]    # Identity (i= tag, often same as d=)
header.s=google          # Selector used
header.b=dGVzdC          # Truncated signature (first 8 chars)

Practitioner note: When debugging DKIM issues, I look at Authentication-Results first. If it says dkim=fail, I then examine the DKIM-Signature header to understand why—usually the selector or domain points me to the problem.

Verifying DKIM Manually

Step 1: Get the Public Key

dig TXT google._domainkey.example.com +short

Returns:

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."

Step 2: Decode the Key

The p= value is the Base64-encoded public key. You can decode and inspect it:

echo "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..." | base64 -d | openssl rsa -pubin -inform DER -text

Step 3: Verify Signature

This is complex to do manually. Use tools like:

• MXToolbox DKIM Validator
• dkimvalidator.com
• Mail header analyzers in Gmail/Outlook

Checking DKIM in Email Clients

Gmail

1. Open the email
2. Click three dots → "Show original"
3. Look for:
   • DKIM-Signature header
   • Authentication-Results (shows dkim=pass/fail)

Outlook (Web)

1. Open the email
2. Click three dots → "View message details"
3. Examine headers

Apple Mail

1. View → Message → All Headers
2. Find DKIM-Signature and Authentication-Results

Common Verification Failures

"dkim=fail (body hash did not verify)"

The message body was modified after signing.

Causes:

• Mailing list added footer
• Security gateway modified content
• Antivirus added disclaimer

"dkim=fail (signature verification failed)"

Cryptographic verification failed.

Causes:

• Wrong public key in DNS
• Key was rotated but signature uses old key
• Signature corrupted in transit

"dkim=neutral (no key for signature)"

Public key lookup failed.

Causes:

• Selector doesn't exist in DNS
• Typo in selector or domain
• DNS propagation not complete

"dkim=none"

No DKIM signature on the message.

Causes:

• Sending server doesn't sign
• DKIM not configured for sending domain — see the DKIM setup guide
• Some mail paths skip signing

Practitioner note: "Body hash did not verify" is the most frustrating failure—it means something between sender and recipient modified the message. Finding the culprit requires tracing the mail path through Received headers.

DKIM Verification Tools

Online Tools

• MXToolbox DKIM Lookup: Enter domain + selector
• dkimvalidator.com: Paste email headers
• mail-tester.com: Send test email for full analysis
• Google Admin Toolbox: Check MX and headers

Command Line

# Check if DKIM record exists
dig TXT selector._domainkey.domain.com +short

# Get key details
dig TXT google._domainkey.gmail.com +short | openssl rsa -pubin -text -noout

Multiple DKIM Signatures

Emails can have multiple DKIM signatures (common when mail passes through multiple systems):

DKIM-Signature: v=1; a=rsa-sha256; d=sendgrid.net; s=s1; ...
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google; ...

Each is verified independently. DMARC alignment is satisfied if any signature aligns with the From domain. For more on how this works with multiple senders, see SPF, DKIM, DMARC for multiple senders.

If you need help diagnosing DKIM verification failures across your email infrastructure, schedule a consultation.

Sources

• RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
• RFC 6376 Section 3.5: The DKIM-Signature Header Field
• RFC 8601: Message Header Field for Indicating Message Authentication Status
• MXToolbox: DKIM Lookup

---

v1.0 · March 2026