DKIM failures on self-hosted servers are caused by five issues: DNS record doesn't match the signing key, wrong selector configured, DNS hasn't propagated yet, message was modified after signing (by mailing lists or content filters), or DKIM signing isn't enabled at all. Check the DKIM-Signature header in a test email to identify the selector, then verify the DNS TXT record matches your server's public key. Use MXToolbox's DKIM lookup to test.
Self-Hosted DKIM Not Passing: Troubleshooting Guide
DKIM Troubleshooting: Systematic Diagnosis
DKIM failures are the most common authentication issue on self-hosted servers. For the full authentication picture, see our email authentication guide. The good news is there are only a handful of things that can go wrong, and each is straightforward to fix once identified.
Quick Diagnosis
Send a test email to Gmail. Open it, click the three dots → Show original. Find the Authentication-Results header:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=dkim;
If you see dkim=fail or dkim=none, continue troubleshooting below.
Also check the DKIM-Signature header in your sent email:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=dkim;
c=relaxed/relaxed; h=from:to:subject:date:message-id;
bh=...; b=...
Key fields: d= (domain), s= (selector), a= (algorithm). Also see DKIM key management at scale and DNS configuration for related setup.
Issue 1: No DKIM Signature Being Added
If there's no DKIM-Signature header at all, your server isn't signing emails.
Mailcow
DKIM is configured per domain in the admin panel:
- Admin → Configuration → Domains → select domain
- Click DKIM tab
- If no key exists, generate one (2048-bit recommended)
- Copy the DNS record shown
Postal
DKIM keys are managed per sending domain:
- Postal admin → Organizations → select org → Domains
- Select domain → DKIM
- Generate key if none exists
- Add the DNS TXT record Postal provides
Postfix + OpenDKIM
Check if OpenDKIM is running and configured:
systemctl status opendkim
# Check signing table
cat /etc/opendkim/signing.table
# Should contain: *@yourdomain.com dkim._domainkey.yourdomain.com
Postfix + Rspamd
Check Rspamd DKIM signing:
cat /etc/rspamd/local.d/dkim_signing.conf
# Should contain path to key and selector
Issue 2: DNS Record Doesn't Match Key
The most common failure. Verify by comparing:
# What DNS says (public key)
dig dkim._domainkey.yourdomain.com TXT +short
# What your server has (private key → derive public key)
# Mailcow:
cat /opt/mailcow-dockerized/data/conf/rspamd/dkim/yourdomain.com.dkim.pub
# OpenDKIM:
openssl rsa -in /etc/opendkim/keys/yourdomain.com/dkim.private -pubout 2>/dev/null
The public key in DNS must match the public key derived from your server's private key.
Common Mismatch Causes
- Truncated key in DNS — the full key didn't paste correctly
- Extra whitespace or line breaks — DNS records must be clean
- Wrong selector — DNS record uses selector
mailbut server signs withdkim - Regenerated key without updating DNS — server has new key, DNS has old key
Issue 3: Wrong Selector
The selector in the DKIM-Signature header must match the selector in your DNS record.
DKIM-Signature: s=dkim → DNS record must be at: dkim._domainkey.yourdomain.com
DKIM-Signature: s=mail → DNS record must be at: mail._domainkey.yourdomain.com
Check with MXToolbox:
https://mxtoolbox.com/dkim.aspx
Enter: yourdomain.com:selector
Issue 4: DNS Propagation
If you just added or changed the DKIM DNS record, it may not have propagated yet.
# Check from multiple DNS servers
dig @8.8.8.8 dkim._domainkey.yourdomain.com TXT +short
dig @1.1.1.1 dkim._domainkey.yourdomain.com TXT +short
DNS propagation typically takes 5 minutes to 24 hours depending on TTL and provider. Lower your TTL to 300 seconds before making changes.
Issue 5: Key Too Long for DNS
2048-bit RSA keys produce values exceeding DNS's 255-character string limit. The record must be split:
dkim._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhk..." "...remaining_key_data..."
Most DNS providers handle splitting automatically. If yours doesn't, manually split the p= value into 255-character chunks, each in separate quotes.
Issue 6: Body Hash Mismatch
If the DKIM-Signature exists but verification fails with "body hash mismatch," something modified the email after your server signed it:
- Content filter modified the body (ClamAV, SpamAssassin adding headers)
- Mailing list added a footer
- Encoding change happened during relay
Fix: Ensure DKIM signing happens after all content modifications. In Postfix, configure milter order so OpenDKIM/Rspamd runs last.
Practitioner note: The most frustrating DKIM failure I debug is the invisible character. A client copies the DKIM public key from their server, pastes it into their DNS provider, and an invisible Unicode character or trailing newline sneaks in. The record looks identical to human eyes but fails verification. I always recommend using the raw output from
digto compare, not the DNS provider's web UI.
Practitioner note: After fixing DKIM, always test by sending to Gmail — not just by checking DNS. A DNS lookup can show the record exists, but only a real email test proves the signing and verification chain works end-to-end.
If your DKIM is failing and you can't identify the cause, schedule a consultation — I'll trace the entire signing chain and fix the configuration.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- Google: DKIM Authentication
- MXToolbox: DKIM Lookup
- OpenDKIM: Configuration Guide
v1.0 · April 2026
Frequently Asked Questions
How do I check if DKIM is passing?
Send an email to Gmail, click the three dots → Show original, and look for 'dkim=pass' in Authentication-Results. If it shows 'dkim=fail' or 'dkim=none', DKIM isn't working. The header also shows which selector and domain were checked.
What's the most common DKIM failure cause?
Key mismatch — the public key in DNS doesn't match the private key your server uses for signing. This happens when you regenerate keys and forget to update DNS, or when you copy the DNS record incorrectly (missing characters, extra whitespace).
How do I find my DKIM selector?
Check the DKIM-Signature header in a sent email — the 's=' field is the selector. Common defaults: 'dkim' for Mailcow, 'postal' for Postal, 'default' or 'mail' for OpenDKIM, 'dkim' for Rspamd. Or check your MTA configuration.
My DKIM record is too long for DNS. What do I do?
2048-bit DKIM keys exceed the 255-character limit for a single DNS TXT string. Split the key into multiple strings within one TXT record. Most DNS providers handle this automatically, but some require manual splitting. The format is: 'v=DKIM1; k=rsa; p=FIRST_PART' 'REST_OF_KEY'
Does DKIM failure affect deliverability?
Yes, significantly. DKIM is required by Gmail and Yahoo for bulk senders. DKIM failure also breaks DMARC alignment if SPF alignment also fails. Without DKIM, your email has no cryptographic proof of authenticity, making it easier to spoof and harder to deliver.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.