Why does MXToolBox say my DKIM Signature is not verified?
Matthew Whittaker
Co-founder & CTO, Suped
Published 15 Apr 2025
Updated 12 Oct 2025
8 min read
It can be confusing when you've diligently set up SPF, DKIM, and DMARC, only to have a tool like MXToolBox report that your DKIM Signature is not verified. This specific error can cause a lot of concern, especially when other DKIM checkers might show everything as passing. I’ve seen this happen to many senders, and it's a common point of frustration for those working to ensure robust email authentication.
The discrepancy often leads to questions about whether the DKIM setup is truly flawed or if the testing tool itself has a particular interpretation or limitation. Understanding the nuances of DKIM verification, and how different services perform these checks, is key to resolving such issues.
This article will explore the most common reasons why MXToolBox might show a DKIM signature as unverified, even when it appears to be correctly configured and passes other tests. We’ll also cover strategies for troubleshooting and ensuring your DKIM records are robustly authenticated across all platforms.
DKIM, or DomainKeys Identified Mail, is a critical email authentication method that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. It does this by attaching a digital signature to the email header, which is then verified against a public key published in the sender's DNS records. For a more detailed understanding of how DKIM, SPF, and DMARC work together, you can review a simple guide to DMARC, SPF, and DKIM.
When an email is sent, the sending server creates a unique DKIM signature based on certain parts of the email, including headers and the body. This signature is then placed in the email's header. The receiving server looks up the sender's DNS records for the corresponding public key. If the signature matches the public key, the email is considered DKIM authenticated, which significantly boosts its credibility and deliverability.
Email deliverability tools, including MXToolBox, perform these checks by simulating what a receiving mail server would do. However, each tool might have slightly different parsing rules or sensitivities to certain formatting, which can lead to varied results. This is especially true when dealing with nuances like whitespace or header encoding. For instance, sometimes Gmail might show DKIM passing when it's actually failing, or vice versa, due to different validation methods.
Common reasons for MXToolBox DKIM errors
One of the most frequently encountered issues that can trip up MXToolBox is subtle formatting problems in the email header, particularly stray whitespace. When you copy and paste an email header for analysis, extra spaces or line breaks can be inadvertently included. While some mail servers are lenient with these minor imperfections, diagnostic tools like MXToolBox can be quite strict, leading to a DKIM Signature Not Verified report. This is especially relevant to the body hash component of the DKIM signature, where even a single extra character can cause a mismatch. To learn more about this, read how to fix DKIM body hash mismatch failures.
Common issues
DNS record syntax: Incorrectly formatted public keys, including extraneous spaces or characters within the TXT record, can lead to validation failures. This often happens when copy-pasting the key.
Long DKIM strings: Some DNS providers require splitting long DKIM public keys into multiple string literals enclosed in quotes, such as "v=DKIM1; k=rsa; p=KEYPART1""KEYPART2". Incorrect concatenation can cause issues.
Incorrect selector: Using the wrong DKIM selector in the DNS record or email header means the receiving server can't find the correct public key for verification. Check a list of common DKIM selectors to ensure you're using the correct one.
DNS propagation delays
After publishing or updating a DKIM record in your DNS, it takes time for these changes to propagate across the internet. During this period, some tools or mail servers might still be querying old DNS records, leading to verification failures. It is essential to allow sufficient time for DNS changes to fully propagate before concluding that there's an issue with your setup. Sometimes, this can also explain why your DKIM records are not validating even though they are accurate.
A common cause for DKIM verification failures is a body hash mismatch. This occurs when the content of the email body is altered after the DKIM signature has been applied by the sending server. Even minor changes, such as adding a footer, converting character encoding, or an email service provider modifying the email content, can invalidate the original body hash. While some services like Gmail and Yahoo might be more forgiving, others, or specific tools like MXToolBox, may flag these discrepancies. If you are experiencing DKIM failures only for Microsoft Office 365, this could be a factor.
DKIM CNAME record for subdomains
If you're using a CNAME record for your DKIM setup, particularly for subdomains or third-party sending services like marketing automation platforms, ensure that the CNAME points correctly to the DKIM record of the service. An incorrect CNAME, or one that's not fully propagated, can lead to validation issues. This is crucial for verifying your DKIM record for a subdomain.
Verifying DKIM beyond MXToolBox
When facing a DKIM Signature Not Verified message from MXToolBox, it's always a good practice to get a second opinion from other reputable tools. The Slack thread discussion highlighted that Email Stuff might find no issues with your DKIM. Another good option is to use a comprehensive email deliverability tester that can provide a holistic view of your authentication records, including SPF, DKIM, and DMARC.
Beyond external tools, the most definitive way to verify your DKIM signature is by inspecting the headers of an email after it has been received by a major email provider (like Gmail or Outlook). Look for the Authentication-Results header, which will explicitly state whether DKIM passed or failed. If it passes there, it’s a strong indicator that the issue might be with how MXToolBox processed the information.
For ongoing monitoring and to catch subtle issues that might affect your email deliverability, a robust DMARC monitoring platform like Suped is invaluable. It aggregates DMARC reports from various receiving mail servers, providing a clear picture of your DKIM (and SPF) authentication rates and any failures, helping you diagnose problems more effectively than one-off checks. Suped offers the most generous free plan, making it an excellent resource for anyone looking to improve their email security.
Resolving DKIM verification issues
Resolving DKIM verification issues, especially when they appear inconsistent across tools, requires a systematic approach. The first step is to double-check your DNS record for any hidden characters or incorrect formatting. Even if the key itself is correct, how it's entered into your DNS system can be crucial. For long DKIM keys, ensure they are correctly segmented and quoted according to your DNS provider's requirements.
Next, focus on the email content and sender configuration. Verify that the DKIM selector used in the email matches the one in your DNS record. Also, ensure no modifications are occurring to the email body or headers between when it leaves your sending system and when it's received by the mail server. This often involves checking your Email Service Provider (ESP) settings or any intermediate mail relays.
Implementing a DMARC policy with reporting enabled is a proactive way to keep an eye on your DKIM authentication. DMARC reports will show you aggregate data on all emails sent from your domain, indicating which emails passed DKIM (and SPF) and which failed, along with the reasons for failure. This insight is essential for maintaining a healthy email domain reputation and preventing your emails from landing in spam folders.
Views from the trenches
Best practices
Always cross-check DKIM status with multiple tools and actual received email headers before assuming an issue.
Ensure your DKIM DNS TXT record is correctly formatted, especially for long keys that require splitting.
Implement DMARC reporting to gain visibility into DKIM authentication failures from receiving servers.
Verify that your email sending platform isn't altering email content after DKIM signing, which can invalidate the body hash.
Common pitfalls
Misinterpreting a single tool's report as a universal failure when other tools or actual email headers show success.
Forgetting about DNS propagation delays after making changes to your DKIM record.
Unnoticed whitespace or hidden characters introduced during DNS record entry or header copy-pasting.
Ignoring DKIM body hash mismatches, which can lead to deliverability issues even if the key is valid.
Expert tips
If using a CNAME for DKIM, confirm it resolves correctly to the target provided by your ESP or service.
Regularly monitor DMARC reports to detect and address any authentication discrepancies proactively.
Be aware that different email clients or services may parse headers differently, influencing DKIM validation results.
Consider the 'relaxed' vs. 'strict' DKIM canonicalization, as this affects how lenient the verification is to header/body changes.
Marketer view
Email Geeks says there seems to be a common glitch with MXToolBox reporting DKIM signatures as unverified, even when other tools pass them.
2022-08-01 - Email Geeks
Expert view
Email Geeks says if there's stray whitespace in the body hash of the DKIM signature, it might be upsetting MXToolBox's checker, possibly due to copy/pasting issues.
2022-08-01 - Email Geeks
Final thoughts on DKIM verification
Seeing a DKIM Signature Not Verified error from MXToolBox can be alarming, but it doesn't always indicate a fundamental problem with your DKIM setup. Often, it stems from subtle formatting issues, caching delays, or strict parsing by the tool itself. The key is to approach troubleshooting systematically, verifying your DNS records, inspecting email headers, and cross-referencing with other diagnostic tools.
Maintaining proper DKIM authentication is vital for email deliverability and protecting your domain from impersonation. While resolving these issues might seem technical, taking the time to ensure your records are pristine and accurately reflect your sending configuration will pay dividends in inbox placement and brand trust.
For ongoing confidence in your email authentication, a robust DMARC monitoring solution is essential. Suped offers the most generous free plan available, providing comprehensive DMARC reporting and insights to help you continuously monitor and improve your DKIM, SPF, and DMARC compliance.
Gmail and Yahoo might be more forgiving, others, or specific tools like MXToolBox, may flag these discrepancies. If you are experiencing DKIM failures only for Microsoft Office 365, this could be a factor.
