Why does DKIM show a permerror (bad sig) only on Yahoo Mail?

Key findings

1. Consistency with other providers: If DKIM passes with other major providers such as Gmail or Outlook, it suggests the core DKIM setup, including the public key in DNS, is likely correct.
2. Yahoo's strictness: Yahoo Mail (and AOL) can be particularly strict with DKIM validation, sometimes rejecting emails for subtle issues that other mail services overlook.
3. Recent changes: Recent changes to your email sending infrastructure, mail server configuration, or DNS records (even non-DKIM related ones) can inadvertently impact how DKIM signatures are generated or verified.
4. DNS propagation: While DKIM public keys might appear correct on checkers, DNS propagation delays or caching issues, especially with low TTLs, can lead to receiving servers (like Yahoo) having an outdated or incorrect key.

Key considerations

1. Canonicalization method: Ensure your DKIM signing process uses a canonicalization method that is robust enough to handle minor changes in whitespace or line endings. Relaxed canonicalization is generally recommended for broader compatibility.
2. Header and body integrity: Investigate if any intermediate mail servers or mailing list software are modifying the email headers or body after the DKIM signature has been applied. Even subtle changes, like adding a footer or modifying a header field, can invalidate the signature.
3. DNS TTLs: While making changes, it is tempting to use low DNS Time-To-Live (TTL) values. However, for stable records like DKIM TXT records, consider setting TTLs to 300 seconds or ideally around 3600 seconds to minimize caching issues.
4. Diagnostic tools: Utilize available tools and analyze DMARC reports to diagnose DKIM setup issues. Pay close attention to differences in authentication results reported by various ISPs.
5. Debugging: If possible, obtain the full email headers (including all whitespace) from messages that failed DKIM on Yahoo Mail. This information can reveal subtle differences in how Yahoo parses the email compared to other mail services. Issues like body hash mismatches can sometimes be traced to these details.

Key opinions

1. Puzzling behavior: Many marketers report that only Yahoo Mail exhibits this DKIM permerror, while their emails successfully pass authentication on platforms like Gmail and Hotmail.
2. Impact of changes: The issue often arises or becomes more noticeable after substantial changes to the sending infrastructure, even when the DKIM public key remains consistent.
3. Initial checks: The first instinct is to verify DKIM validity using online checkers, which typically show the signature as correct, deepening the mystery of Yahoo's rejection.
4. Suspected causes: Some marketers suspect subtle formatting issues, like CRLF (carriage return/line feed) problems, might be contributing to the specific failure at Yahoo.

Key considerations

1. DNS stability: Rapid DNS changes (e.g., fast TTLs) for convenience during development can inadvertently lead to DKIM failures due to propagation issues, especially if a mail service pulls an old key.
2. Header and content canonicalization: Be mindful that subtle changes to email headers or body content by your mail server or an intermediate relay after signing can invalidate the DKIM signature upon verification. Ensure your canonicalization is robust.
3. Vendor-specific parsing: Recognize that different ISPs may have slightly varied, stricter, or unique parsing behaviors for email headers and bodies, which can explain why a DKIM signature might pass elsewhere but fail on Yahoo.
4. Yahoo's deliverability: If experiencing persistent issues, it's worth reviewing general Yahoo Mail deliverability guidelines, as DKIM is just one factor.
5. OpenDKIM configurations: For those using OpenDKIM, specific configurations can lead to unexpected validation issues, especially with long headers or complex email structures.

Key opinions

1. DNS TTLs: Fast DNS TTLs (Time-To-Live) can sometimes exacerbate DNS provider issues, leading to DKIM failures because receiving servers might retrieve old or unpropagated keys.
2. Detailed headers: Sharing exact email headers, including whitespace, along with authentication results from both failing (Yahoo) and passing (Gmail) services, is crucial for pinpointing the exact issue.
3. Content modification: Subtle changes to email content or headers after signing, whether intentional or accidental, are frequently cited as causes for DKIM validation failures.
4. Canonicalization differences: Variations in canonicalization rules used by different email providers can lead to valid signatures for some but not others, particularly with non-standard header formatting.

Key considerations

1. Header and body canonicalization: Review your DKIM signing process to ensure the canonicalization method (e.g., relaxed/relaxed) is correctly implemented and robust against minor modifications in transit. This is critical for preventing DKIM temperrors and permerrors.
2. Private key management: Verify that the private key used for signing is correct, hasn't been corrupted, and corresponds to the public key published in DNS. Incorrect key usage is a common cause of bad sig errors.
3. Mail flow inspection: Thoroughly inspect all points in your email sending path (e.g., email service provider, in-house SMTP server, third-party relays) to ensure no system is inadvertently altering the email after the DKIM signature is applied. Even something as simple as a footer can break the signature.
4. DNS record health: Ensure your DKIM TXT record is correctly formatted and accessible globally, as some DNS servers or networks might have issues resolving it. Even if you're not seeing a no DKIM record found error, subtle issues can exist.
5. Monitor reports: Leverage DMARC aggregate reports to gain visibility into authentication failures across all receiving domains, including specific reasons reported by Yahoo. This can help diagnose inconsistencies.

Key findings

1. Permanent failure: A permerror indicates that the DKIM signature failed verification in a way that is not temporary, suggesting an issue with the signature itself or the key used.
2. Signature mismatch: The specific bad sig error means the computed hash of the email (headers and/or body) at the receiving end does not match the hash provided in the DKIM-Signature header field.
3. Canonicalization impact: The choice and correct application of canonicalization algorithms (simple or relaxed for header and body) are critical, as they dictate how the email is prepared before hashing.
4. DNS record accuracy: The public key published in the DNS TXT record must precisely match the private key used for signing, and the record itself must be correctly formatted.

Key considerations

1. Adherence to RFCs: Ensure your DKIM implementation strictly adheres to the specifications outlined in RFC 6376, particularly regarding the signing process, header selection, and canonicalization.
2. Message integrity: Any modification to the email message, including headers, body, or even line endings (CRLF), after the DKIM signature has been generated will invalidate the signature and result in a bad sig error.
3. DKIM selector: Verify that the DKIM selector specified in the s= tag of your DKIM-Signature header correctly points to the corresponding public key in DNS.
4. Length tag: If your DKIM signature includes an optional l= (body length) tag, ensure its value accurately reflects the canonicalized length of the signed portion of the email body. A mismatch will cause validation to fail.
5. Combined authentication: Understand that DKIM works in conjunction with SPF and DMARC to establish email authenticity. A DKIM failure will impact DMARC alignment, influencing inbox placement. For more, see our simple guide to DMARC, SPF, and DKIM.
6. DMARC reports: Aggregate DMARC reports provide valuable insights into authentication results and can help identify specific failure types and sources of DKIM permerrors.