Suped
Summary
MXToolbox reports DKIM verification failures due to a multitude of reasons. These include potential glitches within MXToolbox itself, DNS record errors such as syntax mistakes or incorrect key placement, whitespace or line break issues within email headers or body, DNS propagation delays after updating records, DKIM selector mismatches, invalid characters in the DKIM record, problems related to subdomain DKIM configuration, conflicts arising from multiple DKIM records, signature manipulation during transit, incorrect key retrieval, signing process problems, and even exceeding DKIM keysize limitations. It's essential to verify results with other tools, check raw email headers, validate DKIM syntax, ensure the correct selector is used, verify proper subdomain configurations, and allow ample time for DNS propagation.

Key findings

  • MXToolbox Glitches: MXToolbox may have internal glitches, resulting in false DKIM verification failures.
  • DNS Record Errors: Incorrect DNS configuration, typos, or improper key placement in the DKIM record are common issues.
  • Whitespace/Line Breaks: Whitespace or line breaks within email headers or body can cause DKIM verification problems.
  • DNS Propagation Delays: DNS propagation delays following record updates can temporarily cause failures.
  • DKIM Selector Mismatch: Mismatch between the DKIM selector in the email header and the one used for key generation can lead to failures.
  • Invalid Characters: Invalid characters or formatting problems within the DKIM record may cause failures.
  • Subdomain Configuration Issues: Failures may occur due to incorrect subdomain delegation or missing DKIM records for specific subdomains.
  • Multiple DKIM Records: Conflicts or errors can arise from multiple DKIM records that are not properly configured.
  • Signature Manipulation: DKIM signatures may be manipulated during transit, causing verification failures.
  • Key Retrieval Problems: Incorrect key retrieval can lead to DKIM signature verification failures.
  • Key Size Limitations: Exceeding DKIM key size limitations can cause validation errors.
  • Signing Process Problems: Issues during the DKIM signing process itself can contribute to verification failures.
  • False Positives: MXToolbox can occasionally report false positives.

Key considerations

  • Verify with Other Tools: Always confirm DKIM failures with multiple tools.
  • Check Raw Headers: Examine raw email headers for detailed authentication results.
  • Validate DKIM Syntax: Use online tools to thoroughly validate DKIM record syntax for accuracy.
  • Ensure Proper DNS Propagation: Allow ample time (24-48 hours) for DNS changes to fully propagate after updates.
  • Verify DKIM Selector: Ensure the DKIM selector is correctly configured in DNS and in email sending software.
  • Check for Formatting Errors: Review DKIM records for typos, special characters, and formatting issues.
  • Configure Subdomain DKIM: Configure specific DKIM records for each sending subdomain.
  • Manage Multiple DKIM Records Carefully: Manage multiple DKIM keys separately to avoid conflicts.
  • Check Authentication at Multiple Receivers: Verify authentication results with multiple receivers to confirm issues.
What email marketers say
9 marketer opinions
MXToolbox may report DKIM verification failures due to various reasons, including glitches in MXToolbox itself, whitespace or line break issues in email headers, DNS propagation delays, incorrect DKIM record syntax, incorrect selector usage, invalid characters in the DKIM record, issues with subdomain DKIM configuration, conflicts from multiple DKIM records, or false positives. Verifying with other tools and checking raw email headers is recommended.

Key opinions

  • MXToolbox Glitches: MXToolbox might have glitches, leading to false DKIM verification failures.
  • Whitespace/Line Breaks: Whitespace or line breaks in email headers or bodies can cause DKIM verification issues.
  • DNS Propagation: DNS propagation delays after DKIM record updates can result in temporary failures.
  • Syntax Errors: Incorrect syntax, missing semicolons, or invalid key values in the DKIM record can lead to failures.
  • Selector Mismatch: Using the wrong DKIM selector during signing or DNS querying can cause verification problems.
  • Invalid Characters: Invalid characters or formatting issues in the DKIM record may cause failures.
  • Subdomain Issues: Incorrect subdomain delegation or missing DKIM records for subdomains can cause issues.
  • Multiple Records: Having multiple DKIM records without proper configuration can lead to conflicts.
  • False Positives: MXToolbox might report false positives, necessitating verification with other tools.

Key considerations

  • Verify with Other Tools: Confirm DKIM failures with multiple tools to avoid acting on false positives from MXToolbox.
  • Check Raw Headers: Inspect raw email headers for authentication results to identify the specific cause of the DKIM failure.
  • Validate DKIM Syntax: Use online tools to validate the DKIM record syntax for correctness.
  • Wait for Propagation: Allow sufficient time (24-48 hours) for DNS changes to propagate fully after updating DKIM records.
  • Verify Selector: Ensure the DKIM selector used in the signing process matches the one specified in the email headers and DNS record.
  • Check Formatting: Carefully check the DKIM record for typos, special characters, and formatting issues.
  • Subdomain Configuration: Configure individual DKIM records for each sending subdomain if DKIM fails for subdomains.
  • Manage Multiple Records: Properly manage and separate DKIM keys if using multiple DKIM records to avoid conflicts.
Marketer view
Email marketer from Email on Acid shares that incorrect syntax in the DKIM DNS record, such as missing semicolons or incorrect key values, can lead to verification failures. Suggests using online tools to validate the DKIM record syntax.
12 May 2022 - Email on Acid
Marketer view
Email marketer from SuperUser explains that using the wrong DKIM selector in the signing process or when querying the DNS record can cause verification failures. It suggests verifying that the selector used matches the one specified in the email headers.
31 May 2021 - SuperUser
What the experts say
5 expert opinions
MXToolbox might report DKIM verification failures due to whitespace in the DKIM signature's body hash, DNS record errors (syntax, typos), DKIM selector mismatch, or simply be a false positive. It's important to validate DNS records, verify the DKIM selector, and check authentication at multiple receivers.

Key opinions

  • Whitespace in DKIM Signature: Whitespace in the body hash of the DKIM signature can cause MXToolbox to report a failure.
  • DNS Record Errors: DNS record errors, such as incorrect syntax, typos, or improper key placement, are common reasons for DKIM verification failure.
  • DKIM Selector Mismatch: If the DKIM selector in the email header does not match the selector used to generate the DKIM key pair, MXToolbox will report a failure.
  • Possible False Positive: The DNS record might be correct, and other tools might not report a problem, suggesting a false positive from MXToolbox.

Key considerations

  • Validate DNS Records: Carefully validate the DKIM DNS record using online tools to ensure correctness.
  • Verify DKIM Selector: Ensure the email sending software uses the correct DKIM selector.
  • Check Authentication at Multiple Receivers: If one vendor flags DKIM problems, check authentication at multiple receivers to confirm the issue.
Expert view
Expert from Email Geeks responds that the DNS record is syntactically correct and all tools agree. The signature may not be, but only mxtoolbox has seen that.
15 Sep 2021 - Email Geeks
Expert view
Expert from Spamresource explains that DNS record errors, such as incorrect syntax, typos, or improper key placement, are common reasons for DKIM verification failure in MXToolbox. They advise carefully validating the DKIM DNS record using online tools to ensure correctness.
3 Mar 2024 - Spamresource
What the documentation says
6 technical articles
DKIM signature verification failures can occur due to various reasons outlined in technical documentation. These include signature manipulation during transit, incorrect DNS configuration, changes to the message body after signing, problems with the signing process or DKIM signing software, DKIM selector mismatch, key mismatch, syntax errors, and exceeding DKIM keysize limitations. Troubleshooting involves verifying the selector, ensuring the correct public/private key pair is used, validating DNS configuration and record syntax, and adhering to key size limits.

Key findings

  • Signature Manipulation: DKIM signatures can be altered during transit, leading to verification failures.
  • Incorrect DNS Configuration: Incorrectly configured DNS records are a common cause of DKIM failure.
  • Message Body Changes: Changes to the message body after DKIM signing will invalidate the signature.
  • Signing Process Issues: Problems with the DKIM signing process or software can cause verification failures.
  • Selector Mismatch: A mismatch between the selector in the DKIM record and the one used for signing can cause failures.
  • Key Mismatch: A mismatch between the public key in DNS and the private key used for signing will cause failures.
  • Key Size Limitations: Exceeding the allowed key size (e.g., using keys larger than 2048 bits) can lead to validation errors.

Key considerations

  • Verify DNS Configuration: Ensure that the DKIM DNS record is correctly configured and published.
  • Validate DNS Record: Carefully validate the DKIM record for syntax errors and other issues.
  • Check Selector: Verify that the selector in the DKIM record matches the one used for signing.
  • Ensure Key Match: Ensure that the public key in DNS matches the private key used for signing.
  • Adhere to Key Size Limits: Use a supported key size (e.g., 1024 or 2048 bits) to avoid validation errors.
  • Test DKIM Configuration: Use available tools to test and diagnose DKIM issues and verify that the configuration is working correctly.
Technical article
Documentation from AWS explains that there are keysize limitations for DKIM, and that if the key size in the DKIM record exceeds these limits it may cause validation errors. Key sizes of 1024 or 2048 bits are most commonly used.
22 Dec 2022 - Amazon Web Services
Technical article
Documentation from OpenDKIM.org details troubleshooting DKIM issues which often involve verifying the selector in the DKIM record matches the one used for signing, and ensuring the public key in the DNS record matches the private key used for signing.
13 Feb 2025 - OpenDKIM.org
Start improving your email deliverability today
Get a demo