DKIM Signature Invalid: Troubleshooting Guide

Introduction

When your DKIM signature fails validation, your emails lose a critical authentication layer. While they may still be delivered, you're vulnerable to spoofing and may experience deliverability issues.

This guide covers the most common causes of invalid DKIM signatures and how to fix them.

What "DKIM Signature Invalid" Means

DKIM adds a cryptographic signature to your emails. Receiving servers verify this signature using your public key (published in DNS). If verification fails, you see errors like:

• dkim=fail
• dkim=temperror
• dkim=permerror
• "DKIM signature invalid"
• "DKIM verification failed"

Common Causes and Solutions

Cause 1: DNS Record Not Found or Incorrect

Symptoms:

• dkim=permerror in headers
• "DKIM public key not found"
• Recently enabled DKIM

Why it happens:

• DKIM DNS record not published
• Wrong selector name
• Typo in DNS record
• DNS not propagated yet

Solution:

Step 1: Verify DKIM DNS record exists

dig selector._domainkey.yourdomain.com TXT

Replace selector with your actual selector:

• Google Workspace: google
• Microsoft 365: selector1, selector2
• Mailchimp: k1
• Custom: check your email provider

Step 2: Check record format

Your DKIM record should look like:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Step 3: Use our checker

DKIM Checker →

• Enter domain
• Enter selector
• Verify record is found and valid

Step 4: Fix if needed

• If record not found: Add DKIM DNS record
• If selector wrong: Use correct selector
• If format wrong: Copy exact value from email provider
• If just added: Wait 30-60 minutes for DNS propagation

Cause 2: Email Content Modified in Transit

Symptoms:

• dkim=fail for some emails
• Works for some recipients, fails for others
• Mailing lists frequently fail

Why it happens:

DKIM signs email content. If anything modifies the email after signing, verification fails.

Common modifiers:

• Mailing list software (adds footers, subject prefixes)
• Email forwarding
• Anti-virus/spam filters (modify content)
• Email clients (reformat messages)

Example:

Original email:

Subject: Important Update
Body: Hello, this is our update.

After mailing list modification:

Subject: [ListName] Important Update
Body: Hello, this is our update.
       
[Unsubscribe] | [List Info]

DKIM signature now invalid because content changed.

Solution:

For list administrators:

1. Configure list to not modify subject lines
2. Add footers before DKIM signing (not after)
3. Use DKIM-friendly list software

For senders:

1. Use separate subdomain for list emails
2. Accept that some forwarded emails will fail DKIM
3. Ensure SPF still passes (DMARC needs only one)

For DMARC compliance:

• Use relaxed alignment: adkim=r
• Ensure SPF passes for alignment
• Both SPF and DKIM don't need to pass, just one aligned

Cause 3: Key Rotation Without DNS Update

Symptoms:

• DKIM worked yesterday, fails today
• dkim=permerror or dkim=fail
• Recent email provider changes

Why it happens:

Email providers periodically rotate DKIM keys for security. If DNS isn't updated with new public key, verification fails.

Solution:

Step 1: Check if provider rotated keys

Contact or check announcements from:

• Google Workspace admin console
• Microsoft 365 admin center
• Email service provider dashboard

Step 2: Get new DKIM public key

Most providers show current DKIM settings in admin panel.

Step 3: Update DNS record

1. Log in to DNS provider
2. Find existing DKIM record
3. Update with new public key value
4. Save and wait 30 minutes

Step 4: Verify

Check DKIM →

Prevention:

• Set up monitoring for DKIM failures
• Subscribe to provider email notifications
• Use automation for DNS updates (Terraform, CloudFormation)

Cause 4: Wrong or Multiple Selectors

Symptoms:

• DKIM record exists but verification fails
• dkim=permerror

Why it happens:

Your email server signs with one selector (e.g., google) but receiving server looks for different selector, or you have multiple conflicting DKIM setups.

Solution:

Step 1: Identify selector in email headers

Send test email, view headers, look for:

DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector;

The s= tag shows selector used for signing.

Step 2: Verify DNS record for that selector

dig selector._domainkey.yourdomain.com TXT

Step 3: Fix mismatch

• If DNS missing: Add DKIM record for that selector
• If wrong selector: Update email server configuration
• If multiple selectors: Ensure all have valid DNS records

Step 4: Verify each selector

If using multiple (Google + Marketing platform):

• google._domainkey.yourdomain.com
• mailchimp._domainkey.yourdomain.com
• k1._domainkey.yourdomain.com

Test each: DKIM Checker →

Cause 5: Key Length Issues

Symptoms:

• dkim=fail
• Errors mention key length
• Recently upgraded security

Why it happens:

• Using deprecated 512-bit keys (too short)
• Very old 1024-bit keys
• Incompatible key algorithms

Solution:

Check current key length:

dig selector._domainkey.yourdomain.com TXT

Look at public key length in output.

Recommended:

• Minimum: 1024-bit (acceptable)
• Recommended: 2048-bit (modern standard)
• Avoid: 512-bit (deprecated, insecure)

How to upgrade:

1. Generate new 2048-bit key in email provider
2. Publish new key with different selector
3. Configure server to sign with new selector
4. Test before removing old key
5. Remove old key after 48 hours

Cause 6: Clock Skew / Timestamp Issues

Symptoms:

• dkim=temperror
• Intermittent failures
• "Signature timestamp invalid"

Why it happens:

DKIM signatures include timestamps. If sender or receiver clocks are significantly off, validation fails.

Solution:

For server administrators:

1. Ensure servers use NTP (Network Time Protocol)
2. Verify time is accurate
3. Check timezone configuration

For users: This is usually a server-side issue—contact email provider.

Cause 7: DNS Propagation / Caching Issues

Symptoms:

• DKIM works sometimes, fails other times
• Different results from different locations
• Just updated DNS

Why it happens:

DNS changes take time to propagate globally. Some servers see old record, others see new record.

Solution:

Check propagation status:

whatsmydns.net

• Query: selector._domainkey.yourdomain.com
• Type: TXT
• Check globally

Wait for full propagation:

• Typical: 1-2 hours
• Maximum: 48 hours

Speed up future changes:

• Lower TTL before making changes (300 seconds)
• Make changes during low-traffic periods
• Wait before switching to new keys

Diagnostic Checklist

When troubleshooting DKIM failures:

• DNS record exists

  dig selector._domainkey.yourdomain.com TXT

• Selector matches

  • Check email headers for s= value
  • Verify DNS record for that selector

• Record format valid

  • Starts with v=DKIM1
  • Contains p= with public key
  • No syntax errors

• No content modification

  • Check if mailing list or forwarder involved
  • Test direct send (not through list)

• Key not expired or rotated

  • Check with email provider
  • Verify current key in DNS

• DNS propagated

  • Query from multiple locations
  • Wait appropriate time

• Time synchronization

  • Verify server clocks accurate

Testing DKIM

Send Test Email

1. Send from your domain to test address
2. View email headers (Show Original / View Source)
3. Look for DKIM-Signature header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=yourdomain.com; s=selector;
        h=from:to:subject:date;
        bh=abc123...;
        b=xyz789...

4. Check Authentication-Results:

✅ Good:

dkim=pass header.i=@yourdomain.com header.s=selector

❌ Bad:

dkim=fail reason="signature verification failed"
dkim=permerror reason="no key for signature"

Use Testing Tools

Our DKIM Checker: Check DKIM →

Mail-tester.com:

1. Visit mail-tester.com
2. Send email to provided address
3. Review DKIM score

Google Admin Toolbox: https://toolbox.googleapps.com/apps/checkmx/

Platform-Specific Troubleshooting

Google Workspace

Common issue: DKIM not enabled by default

Solution:

1. Go to Google Admin → Apps → Gmail → Authenticate email
2. Verify DKIM is enabled
3. Check DNS records match Google's instructions

Full guide →

Microsoft 365

Common issue: Using wrong selector

Solution:

• Microsoft uses two selectors: selector1 and selector2
• Both must have DNS records
• Check both are properly configured

Full guide →

Mailchimp / Marketing Platforms

Common issue: Domain authentication not completed

Solution:

1. Verify domain in platform settings
2. Add all DKIM DNS records provided
3. Complete verification process

Prevention and Monitoring

Set Up Monitoring

DMARC reports show DKIM pass/fail rates:

• Enable DMARC with rua= tag
• Review reports weekly
• Automated monitoring →

Email headers for spot checks:

• Send test emails regularly
• Verify dkim=pass in headers

Best Practices

✅ Use 2048-bit keys

• More secure than 1024-bit
• Future-proof

✅ Rotate keys annually

• Improve security
• Update DNS proactively

✅ Monitor DNS records

• Regular audits
• Automated checks

✅ Test after changes

• Always send test emails
• Verify before production

✅ Document selectors

• Keep record of all DKIM selectors in use
• Note which services use which selectors

The Bottom Line

DKIM signature failures usually stem from:

1. Missing/incorrect DNS record (most common)
2. Email content modified by forwarders/lists
3. Key rotation without DNS update
4. Wrong selector in configuration
5. DNS propagation delay

Quick fix for most issues:

1. Verify DNS record exists and is correct
2. Check selector matches
3. Wait for DNS propagation
4. Send test email

Timeline:

• Check DNS: 5 minutes
• Fix record: 5 minutes
• DNS propagation: 30-60 minutes
• Verification: 5 minutes

Next Steps

1. Check DKIM status: DKIM Checker →
2. Verify SPF and DMARC: Domain Score →
3. Monitor ongoing: Get alerts →

---

Related Articles:

• SPF, DKIM, and DMARC: The Complete Guide
• DMARC Record Not Found: How to Fix
• SPF Too Many DNS Lookups: How to Fix