DKIM verification fails for four main reasons: 1) DNS record not published (DKIM key not found — add the TXT/CNAME record your ESP provides), 2) Body hash mismatch (email content was modified in transit — common with mailing lists or security gateways), 3) Key not found (wrong selector or DNS propagation incomplete — verify record hostname), 4) DKIM alignment failure for DMARC (d= domain doesn't match From: domain — configure custom DKIM signing with your domain, not your ESP's).
DKIM Verification Failed: Every Cause and Fix
DKIM Failure Types
Failure 1: DKIM Key Not Found
Error: dkim=neutral (no key found) or dkim=temperror (key not found)
Cause: The receiving server can't find the DKIM public key in your DNS.
Fix:
- Identify the selector from the DKIM-Signature header (look for
s=value, e.g.,s=google,s=k1) - Check DNS: the record should be at
selector._domainkey.yourdomain.com - Use MXToolbox DKIM Lookup to test
- If missing: add the TXT or CNAME record your ESP provided
- If present but not resolving: wait for DNS propagation (up to 48 hours)
Common mistakes:
- Record added to wrong hostname (
domainkeyinstead of_domainkey) - Record added to wrong domain (parent vs subdomain)
- CNAME target has a trailing dot issue
- DNS provider has TXT record character limit (use CNAME instead)
Failure 2: Body Hash Mismatch
Error: dkim=fail (body hash did not verify)
Cause: The email body was modified after DKIM signed it. The hash in the signature no longer matches the actual body.
Common causes:
- Mailing list software added a footer
- Email security gateway (Proofpoint, Mimecast) modified the message
- Email forwarding service altered the body
- Antivirus software added a disclaimer
Fix:
- If mailing list: this is expected behavior. ARC (Authenticated Received Chain) helps forwarding services preserve DKIM. Ensure DKIM alignment is relaxed in DMARC.
- If security gateway: configure the gateway to preserve DKIM signatures (often a setting in the gateway).
- If forwarding: not much you can do. DKIM relies on body integrity. Use ARC if available.
Failure 3: Signature Verification Failed
Error: dkim=fail (signature verification failed)
Cause: The DKIM signature doesn't match the public key, or the key has changed since signing.
Common causes:
- DKIM key was rotated but old signatures are still in transit
- DNS record doesn't match the signing key (configuration mismatch)
- Key corruption (rare)
Fix:
- Verify the DNS record matches what your ESP currently generates
- If you recently rotated keys: old emails in transit will fail until they're delivered. This is temporary.
- Re-generate the DKIM key in your ESP and re-publish the DNS record
Failure 4: DKIM Alignment Failure (DMARC)
Error: dkim=pass but dmarc=fail
Cause: DKIM passed, but the signing domain (d=) doesn't match the From: header domain. DMARC requires alignment.
Example:
DKIM-Signature: d=sendgrid.net (DKIM signed by SendGrid)
From: [email protected] (From header is your domain)
Result: DKIM passes for sendgrid.net, but DMARC alignment fails
Fix: Configure custom DKIM signing in your ESP so it signs with YOUR domain:
- SendGrid: Settings → Sender Authentication → Authenticate Your Domain
- Mailgun: Domain Settings → DKIM → add DNS records
- Klaviyo: Settings → Domains → Add Sending Domain
- Google Workspace: Admin → Apps → Gmail → Authenticate Email → Enable DKIM
After configuration, DKIM-Signature should show d=yourdomain.com.
Verification Steps
- Send test email to personal Gmail
- View original (three dots → Show Original)
- Check DKIM-Signature header:
d=should be your domains=should match a DNS record you've published
- Check Authentication-Results:
- Should show
dkim=pass header.d=yourdomain.com
- Should show
- If failing, check DNS with MXToolbox DKIM Lookup
ESP-Specific DKIM Setup
| ESP | Default d= | Custom d= Setup |
|---|---|---|
| Google Workspace | onmicrosoft.com (before enabling) | Admin → Apps → Gmail → Authenticate Email |
| SendGrid | sendgrid.net | Settings → Sender Authentication → Domain Auth |
| Mailgun | mailgun.org | Domain Settings → DNS records |
| Klaviyo | klaviyo.com | Settings → Domains → Add Sending Domain |
| Mailchimp | mailchimp.com | Settings → Domains → Authenticate |
| ActiveCampaign | Various | Settings → Advanced → Domains |
| Postmark | Default = your domain | Auto-configured on domain verification |
Practitioner note: The most common DKIM failure I see: the user set up their ESP but never added the DKIM DNS records. The ESP signs the email, but the receiving server can't find the public key because it was never published. DKIM "key not found" is always a DNS issue. Check DNS first.
Practitioner note: The alignment failure (DKIM passes but DMARC fails) trips up more people than actual DKIM failures. Gmail now requires alignment. If your ESP signs with their domain instead of yours, you need to configure custom domain authentication in your ESP settings. This is the #1 actionable fix for most DMARC issues.
If DKIM keeps failing and you can't identify the cause, schedule a consultation — I'll trace the exact failure and fix it.
Sources
- RFC 6376: DKIM
- MXToolbox: DKIM Lookup
v1.0 · March 2026
Frequently Asked Questions
What does 'DKIM key not found' mean?
The receiving server looked up your DKIM public key in DNS using the selector from the DKIM-Signature header and couldn't find it. Causes: DNS record not added, wrong selector name, DNS hasn't propagated yet, or the TXT record was accidentally deleted.
What is a DKIM body hash mismatch?
The DKIM signature includes a hash of the email body. If anything modifies the body after signing (mailing list footer, email security gateway, forwarding service), the hash no longer matches and DKIM fails. This is a known limitation of DKIM with email forwarding.
DKIM passes but DMARC still fails. Why?
DMARC requires alignment: the d= domain in DKIM must match the From: domain. If DKIM passes for 'sendgrid.net' (your ESP's domain) but your From: is 'yourdomain.com', DKIM passes but DMARC alignment fails. Fix: configure custom DKIM signing with your domain.
How do I check if DKIM is configured correctly?
Send a test email to Gmail → three dots → Show Original. Check: 1) DKIM-Signature header exists, 2) d= shows your domain (not your ESP's), 3) Authentication-Results shows dkim=pass. Also check DNS with MXToolbox DKIM Lookup: enter selector._domainkey.yourdomain.com.
My ESP says DKIM is configured but it's failing. What's wrong?
Common causes: DNS record added to the wrong domain or hostname (check for typos), DNS hasn't fully propagated (wait 4-24 hours), your ESP uses CNAME records that chain to their key (check if the CNAME target resolves), or you have multiple DKIM records conflicting.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.