How do I interpret SpamAssassin DKIM test results and troubleshoot DKIM signature issues?
Michael Ko
Co-founder & CEO, Suped
Published 29 May 2025
Updated 17 Aug 2025
6 min read
Understanding how your emails are perceived by spam filters is crucial for deliverability. DomainKeys Identified Mail (DKIM) is a key authentication standard that helps receiving mail servers verify that an email was indeed sent by the domain it claims to be from and that it hasn't been tampered with in transit. When issues arise, tools like SpamAssassin provide valuable insights, but their raw output can sometimes be challenging to decipher.
SpamAssassin, a widely used open-source spam filter, often assigns scores and flags to incoming emails based on a multitude of rules, including those related to DKIM. While an email might have a correctly configured DKIM record, SpamAssassin could still flag it in ways that seem confusing. This can lead to your legitimate emails being misclassified as spam or blocked by recipient servers, impacting your overall email deliverability. Navigating these reports requires a deeper understanding of what each test result signifies and how to approach troubleshooting.
Decoding these test results is the first step toward diagnosing underlying issues with your email sending infrastructure or DKIM setup. It's not just about getting a 'pass' or 'fail', but understanding the nuances of how SpamAssassin evaluates your email's DKIM signature.
SpamAssassin processes emails and assigns a score, with higher scores indicating a greater likelihood of spam. When it comes to DKIM, you'll typically see various rules that contribute to this score. The most common DKIM-related rules are DKIM_SIGNED, DKIM_VALID, and DKIM_INVALID (or DKIM_INVALID_DKIM). Each rule has an assigned score, either positive (adding to spam score) or negative (reducing spam score), based on whether the rule triggers.
A common point of confusion arises when you see both DKIM_SIGNED and DKIM_INVALID (or similar) listed in the results. This doesn't mean your DKIM setup is correct, rather, it indicates that a DKIM-Signature header was present in the email, but the signature itself was not valid. It's essentially telling you, "I see a signature, but it's broken." You can find more details on these specific rules in the Apache SpamAssassin DKIM plugin documentation.
SpamAssassin Rule
Meaning
Typical Score Impact
Action if triggered
DKIM_SIGNED
The email includes a DKIM-Signature header.
Slight positive (e.g., 0.1), indicates presence.
If also DKIM_INVALID, troubleshoot signature validity.
DKIM_VALID
The DKIM signature is valid and verified against the DNS record.
Negative (e.g., -0.1 to -0.5), reduces spam score.
No action needed for DKIM, but check other rules.
DKIM_INVALID
The email has a DKIM signature, but it failed verification.
Positive (e.g., 0.1 to 0.5), adds to spam score.
This signals a problem. Investigate the cause of the invalid signature.
DKIM_PERMFAIL
A permanent error occurred, often due to a missing or malformed DKIM DNS record.
Crucially, SpamAssassin's score is cumulative. A small positive score from an invalid DKIM doesn't automatically mean your email will go to spam, especially if other positive authentication checks (like SPF) are present and overall content is clean. However, it's a strong indicator that something is amiss with your DKIM signature, and fixing it is essential for optimal deliverability.
Common reasons for DKIM signature failures
DKIM signatures fail for several reasons. One of the most frequent causes is content modification during transit. If an email is altered after it has been signed by your sending server, even slightly, the DKIM signature will no longer match the email's content. This can happen if an intermediate mail server or a mailing list modifies headers, adds disclaimers, or changes the message body.
Common pitfalls
Body hash mismatch: The email content (body) was altered after signing. This is a common cause of DKIM body hash failing errors.
Header canonicalization issues: Headers included in the DKIM signature were formatted differently upon reception, leading to a mismatch.
Incorrect DNS record: The public key published in your DNS (TXT record) does not match the private key used for signing, or the record is malformed or missing, leading to DKIM permerror issues.
Selector issues: The DKIM selector in the email header does not match the selector in the DNS record, meaning the wrong public key is being looked up. Learn about DKIM selectors.
Valid DKIM signature
The email passes DKIM checks because the signature and published DNS key align, and the email content remains unaltered.
Google and other ISPs trust the sender's identity, leading to better inbox placement.
Microsoft Outlook processes the email without flagging it as potentially fraudulent.
Invalid DKIM signature
The email fails DKIM checks, indicating the signature doesn't match the content or the public key, often due to tampering or misconfiguration.
Increased spam score: SpamAssassin (and other filters) assign higher scores, increasing the likelihood of the email landing in the spam folder or being rejected outright.
Reputation damage: Consistent failures can negatively impact your sender reputation, making it harder to reach inboxes in the future.
Another often overlooked cause can be related to the email sender's infrastructure. Sometimes, issues arise when using third-party email service providers (ESPs) if their DKIM signing isn't correctly configured for your domain, or if you're using a system that applies its own signing in addition to your domain's, leading to issues with double DKIM implementation. It's essential to check how your ESP handles DKIM.
Troubleshooting steps for DKIM problems
When you encounter DKIM signature issues, whether flagged by SpamAssassin or other tools, a systematic approach to troubleshooting is key. The first place to look is always the email headers, specifically the Authentication-Results header. This header provides a detailed breakdown of all authentication checks performed by the receiving server, including DKIM, SPF, and DMARC. This is often more informative than a simple SpamAssassin score. For example, it might tell you if your Gmail SPF/DKIM status is failing, or provide specific error codes.
If the headers point to a DKIM failure, the next step is to verify your DKIM DNS record. Ensure the public key published in your DNS matches the private key used by your sending server. Any discrepancy, even a single character, will invalidate the signature. Check for typos, extra spaces, or incorrect line breaks in the DNS record. Tools like Spam Resource's guide on DKIM issues can offer further insight into no key for signature errors. Additionally, use an email deliverability tester to send a test email and receive a comprehensive report on your authentication status, including DKIM. This can help you diagnose problems like a DKIM body hash mismatch.
Finally, review your mail server's DKIM signing configuration. Ensure that your mail server (e.g., Postfix, Exim) is correctly signing outgoing emails with DKIM. Check its logs for any signing errors. Sometimes, seemingly minor configuration changes or updates can break DKIM functionality. If you're encountering issues with DKIM temporary errors with Microsoft, this might also stem from server-side configurations.
Ensuring robust email authentication
While SpamAssassin provides useful indicators, remember that its primary goal is to identify spam based on many factors, not just DKIM. A perfect SpamAssassin score isn't the sole determinant of inbox placement, but a failing DKIM signature can certainly contribute to your emails landing in the junk folder or being rejected. Robust DKIM implementation, alongside SPF and DMARC, forms the bedrock of strong email authentication and is critical for maintaining good sender reputation.
By understanding the nuances of SpamAssassin's DKIM test results and systematically troubleshooting any issues, you can significantly improve your email deliverability and ensure your legitimate messages reach their intended recipients. Continue to monitor your email authentication, and address any anomalies promptly.
Views from the trenches
Best practices
Regularly check your DMARC reports to spot DKIM alignment failures, even if SpamAssassin passes.
Use a consistent canonicalization method for DKIM, either relaxed/relaxed or relaxed/simple, for both header and body.
Ensure your DNS records for DKIM are correctly published and do not contain any hidden characters or formatting issues.
Test your DKIM setup with an email deliverability test service to get a comprehensive authentication report.
Common pitfalls
Modifying email content (e.g., adding footers, disclaimers) after DKIM signing, which invalidates the signature.
Having multiple DKIM signatures that conflict with each other or with DMARC alignment policies.
Using incorrect or outdated DKIM selectors in your email sending configuration, preventing key lookup.
Not regularly rotating your DKIM keys, which can lead to security vulnerabilities over time.
Expert tips
Implement ARC (Authenticated Received Chain) if emails are frequently forwarded, as it helps preserve authentication results through intermediaries.
Prioritize DMARC enforcement policies (quarantine/reject) as your DKIM and SPF become stable to gain full control over your sending domain.
Monitor your sender reputation continuously through tools like Google Postmaster Tools and investigate any drops.
Be aware that different receiving mail servers might interpret DKIM validation slightly differently, leading to varied results across ISPs.
Expert view
Expert from Email Geeks says that knowing a rule fires on SpamAssassin does not necessarily mean there is a problem with the mail being sent, as it is a scoring-based engine.
2024-07-18 - Email Geeks
Expert view
Expert from Email Geeks says that the DKIM_SIGNED rule simply indicates the presence of a DKIM-Signature header, while DKIM_INVALID_DKIM means the signature itself is not valid.
Google and other ISPs trust the sender's identity, leading to better inbox placement.
Microsoft Outlook processes the email without flagging it as potentially fraudulent.
