Suped

Why does MXToolBox say my DKIM Signature is not verified?

9Marketer opinions5Expert opinions6Technical articles4Resources

Summary

MXToolbox reports DKIM verification failures due to a multitude of reasons. These include potential glitches within MXToolbox itself, DNS record errors such as syntax mistakes or incorrect key placement, whitespace or line break issues within email headers or body, DNS propagation delays after updating records, DKIM selector mismatches, invalid characters in the DKIM record, problems related to subdomain DKIM configuration, conflicts arising from multiple DKIM records, signature manipulation during transit, incorrect key retrieval, signing process problems, and even exceeding DKIM keysize limitations. It's essential to verify results with other tools, check raw email headers, validate DKIM syntax, ensure the correct selector is used, verify proper subdomain configurations, and allow ample time for DNS propagation.

Key findings

  • MXToolbox Glitches: MXToolbox may have internal glitches, resulting in false DKIM verification failures.
  • DNS Record Errors: Incorrect DNS configuration, typos, or improper key placement in the DKIM record are common issues.
  • Whitespace/Line Breaks: Whitespace or line breaks within email headers or body can cause DKIM verification problems.
  • DNS Propagation Delays: DNS propagation delays following record updates can temporarily cause failures.
  • DKIM Selector Mismatch: Mismatch between the DKIM selector in the email header and the one used for key generation can lead to failures.
  • Invalid Characters: Invalid characters or formatting problems within the DKIM record may cause failures.
  • Subdomain Configuration Issues: Failures may occur due to incorrect subdomain delegation or missing DKIM records for specific subdomains.
  • Multiple DKIM Records: Conflicts or errors can arise from multiple DKIM records that are not properly configured.
  • Signature Manipulation: DKIM signatures may be manipulated during transit, causing verification failures.
  • Key Retrieval Problems: Incorrect key retrieval can lead to DKIM signature verification failures.
  • Key Size Limitations: Exceeding DKIM key size limitations can cause validation errors.
  • Signing Process Problems: Issues during the DKIM signing process itself can contribute to verification failures.
  • False Positives: MXToolbox can occasionally report false positives.

Key considerations

  • Verify with Other Tools: Always confirm DKIM failures with multiple tools.
  • Check Raw Headers: Examine raw email headers for detailed authentication results.
  • Validate DKIM Syntax: Use online tools to thoroughly validate DKIM record syntax for accuracy.
  • Ensure Proper DNS Propagation: Allow ample time (24-48 hours) for DNS changes to fully propagate after updates.
  • Verify DKIM Selector: Ensure the DKIM selector is correctly configured in DNS and in email sending software.
  • Check for Formatting Errors: Review DKIM records for typos, special characters, and formatting issues.
  • Configure Subdomain DKIM: Configure specific DKIM records for each sending subdomain.
  • Manage Multiple DKIM Records Carefully: Manage multiple DKIM keys separately to avoid conflicts.
  • Check Authentication at Multiple Receivers: Verify authentication results with multiple receivers to confirm issues.

What email marketers say
9Marketer opinions

MXToolbox may report DKIM verification failures due to various reasons, including glitches in MXToolbox itself, whitespace or line break issues in email headers, DNS propagation delays, incorrect DKIM record syntax, incorrect selector usage, invalid characters in the DKIM record, issues with subdomain DKIM configuration, conflicts from multiple DKIM records, or false positives. Verifying with other tools and checking raw email headers is recommended.

Key opinions

  • MXToolbox Glitches: MXToolbox might have glitches, leading to false DKIM verification failures.
  • Whitespace/Line Breaks: Whitespace or line breaks in email headers or bodies can cause DKIM verification issues.
  • DNS Propagation: DNS propagation delays after DKIM record updates can result in temporary failures.
  • Syntax Errors: Incorrect syntax, missing semicolons, or invalid key values in the DKIM record can lead to failures.
  • Selector Mismatch: Using the wrong DKIM selector during signing or DNS querying can cause verification problems.
  • Invalid Characters: Invalid characters or formatting issues in the DKIM record may cause failures.
  • Subdomain Issues: Incorrect subdomain delegation or missing DKIM records for subdomains can cause issues.
  • Multiple Records: Having multiple DKIM records without proper configuration can lead to conflicts.
  • False Positives: MXToolbox might report false positives, necessitating verification with other tools.

Key considerations

  • Verify with Other Tools: Confirm DKIM failures with multiple tools to avoid acting on false positives from MXToolbox.
  • Check Raw Headers: Inspect raw email headers for authentication results to identify the specific cause of the DKIM failure.
  • Validate DKIM Syntax: Use online tools to validate the DKIM record syntax for correctness.
  • Wait for Propagation: Allow sufficient time (24-48 hours) for DNS changes to propagate fully after updating DKIM records.
  • Verify Selector: Ensure the DKIM selector used in the signing process matches the one specified in the email headers and DNS record.
  • Check Formatting: Carefully check the DKIM record for typos, special characters, and formatting issues.
  • Subdomain Configuration: Configure individual DKIM records for each sending subdomain if DKIM fails for subdomains.
  • Manage Multiple Records: Properly manage and separate DKIM keys if using multiple DKIM records to avoid conflicts.
Marketer view

Email marketer from Email on Acid shares that incorrect syntax in the DKIM DNS record, such as missing semicolons or incorrect key values, can lead to verification failures. Suggests using online tools to validate the DKIM record syntax.

May 2023 - Email on Acid
Marketer view

Email marketer from SuperUser explains that using the wrong DKIM selector in the signing process or when querying the DNS record can cause verification failures. It suggests verifying that the selector used matches the one specified in the email headers.

September 2023 - SuperUser
Marketer view

Marketer from Email Geeks shares that others have reported a glitch with MXToolBox. Mentions Email Stuff finds no issues with DKIM.

March 2022 - Email Geeks
Marketer view

Email marketer from Mailhardener answers that if DKIM fails for subdomains it is commonly due to incorrect subdomain delegation or missing DKIM records for specific subdomains. You need to configure individual DKIM records for each sending subdomain.

January 2024 - Mailhardener
Marketer view

Email marketer from AuthSMTP explains that invalid characters or formatting issues within the DKIM record can cause verification issues. They advise checking the record for any typos or special characters that may be interfering with the verification process.

October 2024 - AuthSMTP
Marketer view

Email marketer from Reddit suggests that MXToolbox can sometimes report false positives regarding DKIM failures, and it's recommended to verify with other tools before taking action. Suggests checking the raw email headers for authentication results.

December 2021 - Reddit
Marketer view

Email marketer from StackOverflow answers that DKIM verification failures can sometimes be caused by line breaks or whitespace issues in the email header or body, especially after the message passes through different mail servers.

November 2024 - StackOverflow
Marketer view

Email marketer from MXToolbox Forum answers that DNS propagation delays after updating the DKIM record can cause temporary verification failures. It is suggested to wait 24-48 hours for the changes to fully propagate.

October 2021 - MXToolbox Forum
Marketer view

Email marketer from DigitalOcean community answers that having multiple DKIM records can sometimes cause conflicts or validation errors, especially if they are not properly configured. Proper management and separation of DKIM keys are important for each sending domain.

January 2022 - DigitalOcean

What the experts say
5Expert opinions

MXToolbox might report DKIM verification failures due to whitespace in the DKIM signature's body hash, DNS record errors (syntax, typos), DKIM selector mismatch, or simply be a false positive. It's important to validate DNS records, verify the DKIM selector, and check authentication at multiple receivers.

Key opinions

  • Whitespace in DKIM Signature: Whitespace in the body hash of the DKIM signature can cause MXToolbox to report a failure.
  • DNS Record Errors: DNS record errors, such as incorrect syntax, typos, or improper key placement, are common reasons for DKIM verification failure.
  • DKIM Selector Mismatch: If the DKIM selector in the email header does not match the selector used to generate the DKIM key pair, MXToolbox will report a failure.
  • Possible False Positive: The DNS record might be correct, and other tools might not report a problem, suggesting a false positive from MXToolbox.

Key considerations

  • Validate DNS Records: Carefully validate the DKIM DNS record using online tools to ensure correctness.
  • Verify DKIM Selector: Ensure the email sending software uses the correct DKIM selector.
  • Check Authentication at Multiple Receivers: If one vendor flags DKIM problems, check authentication at multiple receivers to confirm the issue.
Expert view

Expert from Email Geeks responds that the DNS record is syntactically correct and all tools agree. The signature may not be, but only mxtoolbox has seen that.

October 2021 - Email Geeks
Expert view

Expert from Spamresource explains that DNS record errors, such as incorrect syntax, typos, or improper key placement, are common reasons for DKIM verification failure in MXToolbox. They advise carefully validating the DKIM DNS record using online tools to ensure correctness.

April 2025 - Spamresource
Expert view

Expert from Email Geeks explains there is whitespace in the body hash in the DKIM signature as reported at mxtoolbox. Suggests it could be a copy/paste issue or header unfolding issue, but probably not a concern unless there are actual problems.

March 2024 - Email Geeks
Expert view

Expert from Spamresource explains that if the DKIM selector in the email header does not match the selector used to generate the DKIM key pair, MXToolbox will report a DKIM verification failure. They suggest ensuring the email sending software uses the correct selector.

October 2021 - Spamresource
Expert view

Expert from Word to the Wise responds that even if a particular vendor flags DKIM problems, it's vital to see if other vendors also flag the same issue. Checking authentication at multiple receivers is crucial.

January 2022 - Word to the Wise

What the documentation says
6Technical articles

DKIM signature verification failures can occur due to various reasons outlined in technical documentation. These include signature manipulation during transit, incorrect DNS configuration, changes to the message body after signing, problems with the signing process or DKIM signing software, DKIM selector mismatch, key mismatch, syntax errors, and exceeding DKIM keysize limitations. Troubleshooting involves verifying the selector, ensuring the correct public/private key pair is used, validating DNS configuration and record syntax, and adhering to key size limits.

Key findings

  • Signature Manipulation: DKIM signatures can be altered during transit, leading to verification failures.
  • Incorrect DNS Configuration: Incorrectly configured DNS records are a common cause of DKIM failure.
  • Message Body Changes: Changes to the message body after DKIM signing will invalidate the signature.
  • Signing Process Issues: Problems with the DKIM signing process or software can cause verification failures.
  • Selector Mismatch: A mismatch between the selector in the DKIM record and the one used for signing can cause failures.
  • Key Mismatch: A mismatch between the public key in DNS and the private key used for signing will cause failures.
  • Key Size Limitations: Exceeding the allowed key size (e.g., using keys larger than 2048 bits) can lead to validation errors.

Key considerations

  • Verify DNS Configuration: Ensure that the DKIM DNS record is correctly configured and published.
  • Validate DNS Record: Carefully validate the DKIM record for syntax errors and other issues.
  • Check Selector: Verify that the selector in the DKIM record matches the one used for signing.
  • Ensure Key Match: Ensure that the public key in DNS matches the private key used for signing.
  • Adhere to Key Size Limits: Use a supported key size (e.g., 1024 or 2048 bits) to avoid validation errors.
  • Test DKIM Configuration: Use available tools to test and diagnose DKIM issues and verify that the configuration is working correctly.
Technical article

Documentation from AWS explains that there are keysize limitations for DKIM, and that if the key size in the DKIM record exceeds these limits it may cause validation errors. Key sizes of 1024 or 2048 bits are most commonly used.

October 2023 - Amazon Web Services
Technical article

Documentation from OpenDKIM.org details troubleshooting DKIM issues which often involve verifying the selector in the DKIM record matches the one used for signing, and ensuring the public key in the DNS record matches the private key used for signing.

October 2022 - OpenDKIM.org
Technical article

Documentation from Microsoft explains that incorrect DKIM configuration, including errors in the DNS record or key mismatch, can cause their email authentication checks to fail. It recommends ensuring the DKIM record is correctly published and validated.

February 2024 - Microsoft
Technical article

Documentation from RFC Editor explains that DKIM signature verification can fail for various reasons, including signature manipulation during transit, incorrect key retrieval, or problems with the signing process itself.

November 2023 - RFC Editor
Technical article

Documentation from DKIM.org explains that common causes of DKIM failure include incorrect DNS configuration, changes to the message body after signing, and problems with the DKIM signing software.

November 2021 - DKIM.org
Technical article

Documentation from SendGrid provides a guide for testing and troubleshooting DKIM issues. Ensuring correct DNS configuration, verifying the DKIM record, and checking for common issues like syntax errors are recommended. They also suggest using SendGrid's own tools to diagnose DKIM issues.

February 2024 - SendGrid

Related resources
4Resources

O365 Received Emails DKIM Body Hash failing - Collaboration ...
O365 Received Emails DKIM Body Hash failing - Collaboration ...

Recently I implemented DKIM signing for our exchange 365 domain and sent emails appear to be functioning properly but if I check the headers for received emails using mxtoolbox.com it shows ‘DKIM Alignment’ but ‘DKIM Authentication’ is failing due to ‘DKIM Signature Body Hash Verified: Body Hash Did Not Verify’. We are using an Azure hybrid AD where internally the domain name is the same as the o365 custom domain used to send email, that is to say the DKIM published CNAME’s are published on the...

Spiceworks Community
Emails from Office 365 - DKIM-Signature Body Hash Not Verified : r ...
Emails from Office 365 - DKIM-Signature Body Hash Not Verified : r ...

Posted by u/airoplanes - 2 votes and 10 comments

Reddit
DKIM => Signature Did Not Verify | DirectAdmin Forums
DKIM => Signature Did Not Verify | DirectAdmin Forums

DKIM => Signature Did Not Verify DKIM => NOT Authenticated This DKIM problem will probably concern a lot people, it looks like a TLS problem with the method of DA to verify the DKIM Key Do not confuse MXTools DKIM test which report ONLY 3 lignes : - DKIM Record Published - DKIM Syntax Check -...

DirectAdmin Forums
ispconfig DKIM and sparkpost DKIM validator | Howtoforge - Linux ...
ispconfig DKIM and sparkpost DKIM validator | Howtoforge - Linux ...

Hi, Using Ispconfig3 3.1.15p3 with 2048 bit length DKIM. I have dkim dns TXT entry and dmarcanalyzerk says it is valid. if I testing my dkim with dkim...

Howtoforge - Linux Howtos and Tutorials

Related questions