Why does MXToolBox say my DKIM Signature is not verified?
Matthew Whittaker
Co-founder & CTO, Suped
Published 15 Apr 2025
Updated 19 Aug 2025
7 min read
It can be incredibly frustrating to see an error like "DKIM Signature not verified" from a tool like MXToolBox, especially when you've diligently set up your email authentication records. You've double-checked your DNS entries for SPF, DKIM, and DMARC, perhaps even confirmed them with your email service provider, yet the tool reports an issue. This can make you question your entire setup and worry about your email deliverability.
I've encountered this scenario many times, both personally and while assisting others. Often, the error message from MXToolBox can be a red herring, not necessarily indicating a fundamental problem with your DKIM setup. It's important to understand the nuances of how these tools operate and what specific issues can trigger such a warning.
Before diving into complex troubleshooting, it's essential to pinpoint whether the issue is a genuine DKIM misconfiguration or a quirk of the testing tool itself. We'll explore the most common reasons behind DKIM signature errors reported by verification services.
When MXToolBox, or any other email authentication checker, reports that your DKIM signature is not verified, it usually points to a discrepancy between the email's actual signature and the public key published in your DNS. This mismatch prevents receiving mail servers from confirming that the email truly originated from your domain and hasn't been tampered with in transit. Without a valid DKIM signature, your emails are more likely to be flagged as spam or even rejected, impacting your overall deliverability.
One of the most frequent culprits is an incorrect or outdated DNS record. The public DKIM key, which is a TXT record, must precisely match the private key used by your sending server to sign outgoing emails. Even a single character error, a missing quotation mark, or extra whitespace can invalidate the signature. This is especially common when the DKIM string is long and needs to be broken into multiple parts within the DNS record.
Another significant factor can be related to the canonicalization method used. DKIM allows for either simple or relaxed canonicalization for both the header and body. If the sending server signs the email using one method, and the receiving server (or testing tool) attempts to verify it using a different expectation, it can lead to a body hash mismatch error, even if the keys themselves are correct.
MXToolBox and false positives
It's not uncommon for MXToolBox to occasionally report false positives regarding DKIM signature verification. This can happen due to various factors related to how their system processes the email headers or interacts with your DNS. For instance, sometimes simply pasting the email header into the tool can introduce stray whitespace or formatting issues that their checker misinterprets, leading to an inaccurate failure report.
Another reason for a potential false positive is related to specific configurations or temporary network issues that prevent the tool from correctly retrieving or parsing your DKIM record. I've seen instances where the DNS record is perfectly valid and other checkers confirm it, but MXToolBox struggles with verification. This is why it's always a good practice to use multiple verification tools to get a comprehensive view of your email authentication status.
It's also worth noting that some testing tools might have specific requirements or limitations, such as expecting a DMARC policy to be enabled, even if the core DKIM record is sound. While DKIM and DMARC work together for email authentication, a DKIM signature should ideally verify independently. If you suspect a false positive, checking with another service can quickly clarify the situation.
Troubleshooting steps
When you encounter a DKIM signature not verified error, the first step is always to verify your DNS record. Ensure that the public key published as a TXT record for your DKIM selector matches exactly what your email service provider (ESP) or mail server generates. Pay close attention to extra spaces, missing characters, or incorrect formatting.
If your DKIM record is particularly long and has been broken into multiple strings within your DNS, confirm that each segment is correctly quoted and joined. DNS providers handle this differently, and an error here is a common reason for DKIM validation failures. It's also critical to ensure that your mail server or ESP is actually signing your outgoing emails with DKIM. Sometimes, the record is correct, but the signing process itself is not enabled or configured properly on the sending side.
Finally, consider the time it takes for DNS changes to propagate. After updating your DKIM record, it can take anywhere from a few minutes to several hours for the changes to become globally visible due to DNS caching. Waiting a bit and then re-testing can often resolve transient issues. If you're still facing challenges, comparing your results with other email authentication tools can help isolate whether the problem is with your setup or the specific checker.
Advanced DKIM considerations
Beyond the basic DNS checks, there are more intricate aspects of DKIM that can lead to verification failures. One such area is the DKIM selector. Make sure the selector used in the email's DKIM-Signature header matches the one in your DNS TXT record. Mismatched selectors mean the receiving server looks for the wrong public key.
Key length is another factor. While 1024-bit keys are still common, 2048-bit keys offer greater security. However, some older systems or specific configurations might have issues with longer keys. If you're using a 2048-bit key and encountering consistent failures across multiple tools (not just MXToolBox), consider testing with a 1024-bit key to rule this out, especially if you suspect Microsoft Office 365 DKIM signature issues.
Finally, the integrity of the email body and headers during transit plays a role. Any modification to the message content or signed headers after the DKIM signature is applied will cause the signature verification to fail. This is where canonicalization settings are crucial. Using 'relaxed' canonicalization for both header and body is generally recommended as it allows for minor formatting changes (like whitespace) without invalidating the signature, which can be particularly useful when dealing with various mail servers and transit routes. Understanding these nuances can save you a lot of headache in decoding DKIM temperrors.
Views from the trenches
Best practices
Ensure your DKIM DNS record is copied precisely from your ESP, checking for hidden characters.
Utilize 'relaxed' canonicalization for both header and body for better fault tolerance.
Regularly check your DKIM status using multiple reputable online verification tools.
Verify that your sending email server or ESP is actively signing your outgoing emails with DKIM.
Keep an eye on any changes in your email sending infrastructure that might impact DKIM signing.
Common pitfalls
Introducing extra whitespace or incorrect formatting when copy-pasting DKIM records into DNS.
Not accounting for DNS propagation time after making changes to your DKIM TXT record.
Misinterpreting a false positive from a single testing tool as a widespread DKIM failure.
Using a DKIM key length (e.g., 2048-bit) that might not be fully supported by all receiving systems.
Failing to enable DKIM signing on the mail server or ESP side, even if the DNS record is correct.
Expert tips
If your DKIM string is split across multiple TXT record segments, ensure all segments are enclosed in quotes and concatenated correctly.
Always fetch the raw email headers and analyze them directly, as some tools can misinterpret pasted content.
Consider setting up DMARC with a 'p=none' policy initially to gain visibility into DKIM failures.
Implement blocklist monitoring to catch potential deliverability issues early.
Regularly review your DMARC reports for insights into authentication failures and potential spoofing.
Expert view
Expert from Email Geeks says they have seen others report online a glitch with MXToolBox regarding DKIM verification. The issue might be specific to the testing tool.
2022-08-01 - Email Geeks
Expert view
Expert from Email Geeks says that there might be whitespace in the body hash of the DKIM signature as reported by MXToolBox. This could be due to a copy/paste error or a header unfolding issue, but it's probably not a concern unless there are actual delivery problems.
2022-08-01 - Email Geeks
Final thoughts on DKIM verification
A DKIM signature not verified error from MXToolBox, while concerning, isn't always a sign of a critical issue. Often, it's a minor DNS record discrepancy, a canonicalization mismatch, or even a peculiarity of the testing tool itself. The key is to systematically troubleshoot by first verifying your DNS setup, ensuring your email platform is correctly signing messages, and then cross-referencing with other authentication checkers.
