Why does DKIM show a permerror (bad sig) only on Yahoo Mail?
Michael Ko
Co-founder & CEO, Suped
Published 4 May 2025
Updated 19 Aug 2025
9 min read
It can be incredibly frustrating to see your DomainKeys Identified Mail (DKIM) signature pass authentication checks everywhere except for one specific mail provider. I often hear from senders who encounter a 'permerror (bad sig)' specifically when sending to Yahoo Mail. This error indicates a permanent failure, meaning the digital signature applied to your email message does not match the one the receiving server expects after verification. Unlike a temporary error, a permerror signals a fundamental issue that requires direct intervention to resolve.
When DKIM passes with other major providers like Gmail and Outlook, it usually points to a specific sensitivity or processing difference on Yahoo's side. This problem can severely impact your email deliverability to Yahoo recipients, potentially leading to messages being quarantined, rejected, or sent directly to the spam folder. Identifying the root cause is crucial for maintaining your sending reputation and ensuring your emails reach their intended audience.
I've seen many cases where a perfectly valid DKIM setup for most of the internet suddenly hits a wall with Yahoo. It's often due to subtle factors that other mail servers might overlook or handle more leniently. Understanding these nuances is key to diagnosing and fixing the issue.
A DKIM 'permerror (bad sig)' specifically indicates that the cryptographic signature generated by your sending server does not match the signature recalculated by the receiving server. This happens because the content used to create the signature on your end differs from the content Yahoo's mail servers are validating. The 'bad sig' part means the digital signature itself is incorrect after hashing the message.
DKIM works by hashing specific parts of your email, such as the headers and body, and then signing that hash with a private key. The receiving server uses your public key, found in your domain's DNS record, to decrypt this signature and re-compute the hash of the message it received. If these two hashes don't match, the DKIM validation fails permanently. This check is a fundamental part of email authentication, designed to prevent email spoofing and ensure message integrity.
The signature is found within the DKIM-Signature header, which contains various tags, including the signature itself (b=), the signed header fields (h=), and the body hashing algorithm (bh=). If any of these elements, or the signed content itself, are altered between signing and reception, the signature becomes invalid.
When you see a 'permerror (bad sig)' only on Yahoo Mail, it often boils down to subtle differences in how Yahoo processes or validates incoming messages compared to other ISPs. Here are some of the most common culprits I've identified:
Body hash mismatch due to message modification
This is by far the most frequent reason for a bad DKIM signature. The body hash (bh=) in the DKIM signature is calculated based on the email's body content at the time of signing. If anything, even a single space or a newline character, is added, removed, or changed in the email body or headers after the signature is applied but before Yahoo receives it, the hash it re-computes won't match the one in the signature. This immediately triggers a 'bad sig' error.
Common culprits for this include: email service providers (ESPs) adding tracking pixels or footers, content delivery networks (CDNs) modifying links, or even your own mail server adding or removing headers or making subtle changes to character encoding. Yahoo (and AOL, which is part of Yahoo) tends to be particularly stringent about these modifications.
DNS caching or propagation delays
While you might have verified your DKIM record elsewhere, Yahoo's DNS resolvers might be caching an old version of your DKIM public key, or there could be a propagation delay for recent DNS changes. If Yahoo retrieves an outdated public key, it won't be able to correctly verify the signature of emails signed with your new private key. This is especially true if you've recently rotated your DKIM keys or made other DNS modifications. Always check your DKIM record and its Time To Live (TTL) value.
I've seen situations where decreasing the DNS TTL for convenience during changes can actually aggravate DNS provider issues, leading to DKIM failures.
Typical DKIM validation
Relaxed canonicalization: Most providers use relaxed canonicalization for headers and body, which tolerates minor changes like whitespace or header field reordering. This makes them more forgiving of transit modifications.
Error reporting: Will generally report a permerror (bad sig) if the signature truly doesn't match, but might pass even with slight deviations.
Yahoo Mail's strict validation
Canonicalization sensitivity:Yahoo can be less forgiving with even minor modifications, especially regarding line endings (CRLF vs LF) or trailing whitespace. What other providers might ignore, Yahoo might flag as a 'bad sig'. This means that any intermediate email processing that alters the message's structure, even subtly, can break the DKIM signature for Yahoo.
DNS query strictness: They might have stricter DNS lookup policies or cache refresh rates that make them more prone to issues if your DKIM record is not consistently available or correctly formatted.
Troubleshooting a DKIM permerror for Yahoo Mail
Diagnosing a DKIM 'permerror (bad sig)' that only appears on Yahoo requires a systematic approach. Here are the steps I recommend taking:
Analyze email headers from Yahoo
The most crucial step is to obtain the raw email headers from an email that failed DKIM validation in Yahoo. Look for the Authentication-Results header. It will typically provide details on the DKIM failure, often explicitly stating 'dkim=permerror (bad sig)'. Then, compare the DKIM-Signature header in the Yahoo email with one from a Gmail or Outlook message where DKIM passed. Pay close attention to subtle differences in headers or body content sections that might be included in the signature.
Verify your DKIM DNS record
Double-check that your DKIM TXT record is correctly published for the selector (s=) used in your DKIM-Signature header. Pay attention to the public key itself and ensure there are no unintended whitespace characters or transcription errors. You can use an online DKIM validation tool to confirm the record is correctly retrieved. Also, check the TTL (Time To Live) of your DKIM TXT record. If it's very low, it might cause issues with Yahoo's caching.
Investigate email content and sending process
Since Yahoo is strict, any changes in transit can cause a 'bad sig'. Look into your email sending platform or any intermediate services (like an ESP, marketing automation platform, or security gateway) that might be altering the email after your server signs it. Even seemingly innocuous changes like character set conversions, HTML reformatting, or the addition of unsubscribe links can invalidate the signature. This is especially relevant if you are facing DKIM body hash mismatch failures.
Ensure DMARC alignment
While DKIM failing at Yahoo is a direct DKIM issue, it's worth noting its impact on DMARC. DMARC requires either SPF or DKIM to pass authentication AND to align with the From: domain. If your DKIM signature is failing with a 'permerror (bad sig)', your DMARC check will also fail for DKIM. This can then lead to your emails being rejected by Yahoo if your DMARC policy is set to quarantine or reject. For more details on DMARC, you can consult the DMARC RFC 7489. Reviewing your DMARC reports can provide valuable insights into where and why your emails are failing authentication.
DKIM tag
Description
Potential impact on 'bad sig'
v=
Version of DKIM.
Incorrect version can cause immediate failure.
a=
Signing algorithm.
Mismatch with public key or receiver's supported algorithms leads to 'bad sig'.
d=
Signing domain.
If domain is incorrect or DNS record unreachable, validation fails.
s=
Selector for the public key.
Most common cause of 'no key for signature' permerror if incorrect.
h=
Signed header fields.
If a signed header is altered or missing, 'bad sig' can occur.
bh=
Body hash.
Body modifications, even subtle, lead to mismatch and 'bad sig'.
Preventing future DKIM permerrors
To prevent future DKIM permerrors, especially with strict receivers like Yahoo, I recommend implementing these best practices:
Standardize email canonicalization: Use 'relaxed/relaxed' canonicalization if possible. This makes your DKIM signature more resilient to minor modifications in transit. However, be aware that some stricter providers (like Microsoft) might still present issues, as highlighted in Office 365 DKIM failures.
Minimize intermediate processing: If you use multiple services in your email flow (e.g., an email marketing platform, an SMTP relay, or a security filter), ensure they are DKIM-aware and do not alter the email content after the signature is applied.
Monitor DNS changes: Be careful with DNS TTL values when making changes to your DKIM records. A high TTL (e.g., 3600 seconds) is generally recommended for stability, but a lower TTL (e.g., 300 seconds) might be useful during active troubleshooting.
Implement DMARC reporting: Utilize DMARC reports to get aggregate and forensic data on your email authentication failures. These reports can show you exactly which providers (like Yahoo) are failing your DKIM and why, helping you pinpoint issues quickly.
Important best practice
Always send a test email to a Yahoo Mail address after making any changes to your DKIM configuration or email sending process. Don't rely solely on other testers, as Yahoo's validation process can be uniquely sensitive. Check the raw headers received in Yahoo to confirm DKIM status. This helps in real-time debugging and validation of your fixes.
Views from the trenches
Best practices
Always verify the raw email headers from the recipient, especially Yahoo, to understand the exact authentication results and any error codes.
If you change email sending infrastructure or DNS, closely monitor your DKIM authentication status for any unexpected failures.
Consider setting the DKIM canonicalization to 'relaxed/relaxed' if your email service provider supports it, to allow for minor modifications in transit.
Use a DMARC monitoring service to receive aggregate reports, which can highlight DKIM authentication failures across various mailbox providers.
Common pitfalls
Overlooking subtle changes in email content or headers introduced by intermediate servers or ESPs after DKIM signing.
Not accounting for DNS caching issues, especially with Yahoo, which might hold onto old DKIM public keys longer than expected.
Assuming that DKIM passing on other major providers means it will pass everywhere, neglecting Yahoo's unique validation strictness.
Failing to review the full email headers for clues on why the DKIM signature is considered 'bad'.
Expert tips
Examine the specific DKIM-Signature header elements like 'bh=' and 'h=' to identify if the body or signed headers are being altered.
Check for CRLF (Carriage Return Line Feed) issues or other whitespace changes that Yahoo's strict parsers might flag.
Ensure your DKIM DNS record's TTL is set appropriately to minimize propagation delays, especially if you recently rotated keys.
If all else fails, consider reaching out to Yahoo Postmaster support with specific header details for further assistance.
Expert view
Expert from Email Geeks says to check for any DNS issues during mail delivery or recent changes to DKIM keys or mail servers. It is important to confirm if the same message passed successfully at other providers like Gmail or Hotmail.
2024-03-14 - Email Geeks
Expert view
Expert from Email Geeks says that when senders are changing things, they often set fast DNS TTLs, which can exacerbate DNS provider issues that lead to DKIM failures. Always ensure DKIM TXT record TTLs are at least 300 seconds, and ideally around 3600 seconds.
2024-03-15 - Email Geeks
Resolving Yahoo's DKIM challenge
Encountering a DKIM 'permerror (bad sig)' solely with Yahoo Mail can be a perplexing challenge, but it's usually indicative of a subtle mismatch in how the email's content is handled or how the DNS record is perceived. By meticulously examining email headers, verifying your DKIM DNS record, and understanding the potential for intermediate message alterations, you can effectively diagnose and resolve the problem.
Proactive monitoring through DMARC reports and continuous testing remain your best tools for maintaining strong email authentication and ensuring reliable deliverability to all recipients, including those on Yahoo Mail. Remember that a consistently passing DKIM signature is foundational for good email reputation and inbox placement.
Yahoo Mail. This error indicates a permanent failure, meaning the digital signature applied to your email message does not match the one the receiving server expects after verification. Unlike a temporary error, a permerror signals a fundamental issue that requires direct intervention to resolve.
Gmail and 
Outlook, it usually points to a specific sensitivity or processing difference on Yahoo's side. This problem can severely impact your email deliverability to Yahoo recipients, potentially leading to messages being quarantined, rejected, or sent directly to the spam folder. Identifying the root cause is crucial for maintaining your sending reputation and ensuring your emails reach their intended audience.
Microsoft) might still present issues, as highlighted in Office 365 DKIM failures.
