What does 'DKIM body hash did not verify' mean and how do I fix it?

A 'body hash did not verify' error usually means the email's content or some headers were altered after the DKIM signature was applied. This can happen due to forwarding, mailing list processing, or even some security software. Check if any intermediaries are modifying your emails in transit. Refer to the specific guide on fixing body hash mismatch failures.

My DKIM is failing with 'no key for signature'. What should I do?

This error, also sometimes phrased as 'DKIM record published no DKIM record found', typically indicates that the receiving server couldn't find your public DKIM key in your domain's DNS. This could be due to an incorrect selector name, a missing TXT record for DKIM, or DNS propagation delays. Double-check your selector in the email header and verify your DNS record using an online DKIM checker .

How long does it take for DKIM DNS changes to propagate?

DNS propagation can take anywhere from a few minutes to 48 hours, though typically it's much faster. If you've just published or updated your DKIM record, allow sufficient time for it to propagate across the internet before retesting. You can use DNS lookup tools to check the current status of your record.

What is the impact of a DKIM failure on email deliverability?

The primary impact of DKIM failures is on email deliverability. Mailbox providers are more likely to filter or reject emails that fail authentication, sending them to spam folders or bouncing them outright. This can harm your sender reputation and negatively impact your email campaigns. It also affects DMARC compliance, potentially leading to DMARC failures, especially if your policy is set to quarantine or reject.

Can DKIM fail at some ISPs but not others?

Yes, it is possible for DKIM to fail at some ISPs but not others. This often happens due to differences in how ISPs implement the DKIM standard, their caching of DNS records, or unique network configurations. It could also indicate intermittent DNS issues. In such cases, checking why DKIM is failing at some ISPs and using DMARC reports for aggregate data can provide insight into the scope of the problem.

How to troubleshoot DKIM failures and which tools to use? - Troubleshooting - Email deliverability - Knowledge base

DKIM, or DomainKeys Identified Mail, is a critical email authentication standard that helps protect your brand's reputation and ensures your emails reach their intended recipients. It allows the recipient's email server to verify that an email was indeed sent by the domain owner and that the message hasn't been altered in transit. When DKIM fails, it can lead to your legitimate emails being marked as spam, rejected outright, or even blocklisted (blacklisted) by mailbox providers.

Troubleshooting DKIM failures can be a complex task, as there are many potential points of failure, from DNS misconfigurations to content alterations. I often find that pinpointing the exact cause requires a systematic approach and the right set of tools. This guide will walk you through the common reasons for DKIM failures and the practical steps and tools I use to diagnose and resolve them.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM failures and their impact

The foundation of DKIM lies in cryptographic signatures and DNS records. When you send an email, your server generates a digital signature for the message and adds it to the email header. A corresponding public key is published in your domain's DNS as a TXT record. The receiving server then retrieves this public key and uses it to verify the signature. If the signature doesn't match, or if the key can't be found or is incorrect, DKIM authentication fails. These failures significantly impact email deliverability, especially when combined with DMARC policies set to quarantine or reject.

Common indicators of a DKIM failure include emails landing in spam folders, explicit bounce messages citing DKIM authentication issues, or reports from your Google Postmaster Tools or DMARC monitoring service. Understanding the exact error message is the first step. For instance, a 'body hash did not verify' error points to content alteration, while a 'no key for signature' error indicates a DNS issue. For more granular detail on errors, you can check the specific DMARC tags and meanings.

A common scenario is when DKIM fails at some Internet Service Providers (ISPs) but not others, which can be particularly frustrating. This often suggests an intermittent DNS propagation problem or an ISP-specific interpretation of the DKIM standard. Sometimes, even correct SPF and DKIM alignment doesn't guarantee a pass. The first step is always to verify your DNS records and then examine the email headers for clues.

Essential tools for initial diagnosis

When I encounter a DKIM failure, my immediate go-to is an online DKIM validator. These tools allow you to input your domain and DKIM selector to check if your public key is correctly published and accessible in your DNS. They often provide detailed feedback on any syntax errors, incorrect key lengths, or missing records. A reliable tool like the MXToolbox DKIM lookup tool is invaluable for this initial check. You can also use command-line tools like dig or nslookup to manually verify the TXT record containing your DKIM public key.

Example DNS lookup for a DKIM recordBASH

dig selector._domainkey.yourdomain.com TXT +short

If the DNS record looks correct, the next step is to examine the full email headers of a failed message. The Authentication-Results header is particularly revealing, as it will state the specific reason for the DKIM failure. This can help differentiate between a public key issue and a message integrity problem. For detailed guidance, the Google Workspace Admin Help provides comprehensive steps to verify your DKIM setup.

Checking the authentication results header

When troubleshooting, always check the Authentication-Results header in the raw email source. This header provides a summary of all authentication checks (SPF, DKIM, DMARC) performed by the receiving server, including the specific reasons for any DKIM failures like dkim=fail or dkim=permerror.

Common causes and advanced troubleshooting

One of the most frequent DKIM failures I encounter is the 'body hash did not verify' error. This means the email content or headers were altered after the message left the signing server. Common culprits include email forwarding services, mailing list archives, or even some antivirus software that modify the email body or headers. To fix this, you need to identify where the alteration is occurring. Another common issue is the 'no key for signature' or 'DKIM record published no DKIM record found' error, which usually points directly to DNS problems like incorrect selector names or DNS propagation delays. I've also observed formatting errors or temporary errors associated with the DKIM record itself.

Sometimes, the issue isn't with your setup, but with how a receiving mailbox provider interprets your DKIM signature. Microsoft, for example, is known for being particularly sensitive to encoding issues or slight variations in DKIM implementations, sometimes causing random failures. This is why testing across different providers is so important.

Common failure messages

Body hash did not verify: The calculated hash of the email body by the receiving server does not match the hash in the DKIM signature.
No key for signature: The receiving server could not find a public key in DNS for the specified DKIM selector.
Signature did not verify: The cryptographic signature itself is invalid when checked against the public key.
Temporary error (temperror): Indicates a temporary issue, often related to DNS lookup problems or server load.

Root causes

Content alteration: Email content or headers modified by intermediaries (e.g., forwarders).
DNS misconfiguration: Incorrect or missing DKIM TXT record, wrong selector name, or DNS propagation delays.
Invalid key: The public key in DNS does not match the private key used for signing, or the key is expired.
DNS issues: Intermittent DNS server problems, timeouts, or network congestion.

Strategic use of mailbox provider feedback and DMARC

Beyond external tools, one of the most effective ways to troubleshoot DKIM is to send test emails to major mailbox providers. I regularly send emails to

Gmail and Outlook/Hotmail accounts.

Gmail is generally forgiving, making it a good first check. If

Gmail passes, but other providers fail, it helps narrow down the problem.

Microsoft's systems are often more sensitive, meaning they can reveal subtle DNS or encoding issues that other providers might overlook. If your emails are failing there, it's a strong indicator of a deeper problem. Historically, the Port25 auto-responder was also a popular tool for automated authentication checks.

For a holistic view, DMARC aggregate reports are indispensable. These reports provide a summary of your email authentication results from various mailbox providers, showing the percentage of emails that passed or failed SPF and DKIM. They can help you identify trends, observe sudden dips in DKIM success rates, and spot issues that might not be apparent from individual tests. By analyzing these reports, you can often deduce if a DKIM failure is isolated or a widespread problem affecting your entire sending infrastructure. Tools that parse these DMARC reports simplify the process significantly.

Maintaining DKIM health and preventing future failures

Prevention is always better than cure. Regular monitoring of your DKIM records and DMARC reports is key to catching issues before they escalate. Automated monitoring services can alert you to changes in your DNS records or sudden drops in DKIM authentication rates. Additionally, ensure your DKIM keys are of adequate length (preferably 2048-bit) and rotated periodically as a security best practice. While longer keys offer better security, they also result in larger DNS records. It's crucial to ensure your DNS provider supports the full length of the generated key without truncating it, which could lead to authentication failures.

When making any changes to your DNS, remember that propagation can take up to 24-48 hours. It's important to factor this delay into your troubleshooting process, as immediate checks might not reflect the updated records. Always double-check your DNS provider's settings to ensure the DKIM TXT record is correctly formatted and published for the specified selector.

Key practices for DKIM health

Monitor DMARC reports daily: Aggregate reports provide a global view of your email authentication status.
Use strong DKIM keys: Opt for 2048-bit keys for enhanced security, ensuring your DNS provider supports the length.
Regularly rotate keys: Periodically update your DKIM keys to maintain a robust security posture.
Test after changes: Always send test emails and check headers after any DNS or sending configuration changes.

Views from the trenches

Best practices

Always use a public DKIM validator tool to confirm your DNS record is correctly published and accessible.

Regularly send test emails to major mailbox providers like Gmail and Microsoft Outlook to observe DKIM authentication results.

Leverage DMARC aggregate reports to monitor DKIM pass rates over time and identify patterns of failure.

Ensure your DKIM keys are at least 1024-bit, with 2048-bit preferred for stronger security.

Common pitfalls

Forgetting about DNS propagation delays after making changes to your DKIM TXT record.

Not accounting for email forwarding services or mailing lists altering message content, leading to body hash mismatches.

Using an incorrect selector name in your DKIM record or email headers.

Not having a DMARC policy in place to receive reports on DKIM failures.

Expert tips

If DKIM fails for 'signature did not validate', compare the received email's header and body against the original to identify any modifications.

For 'no key for signature' errors, double-check the DKIM selector used in the email header against the one in your DNS record.

When troubleshooting intermittent failures, consider network latency or DNS server responsiveness issues.

Set up a dedicated mailbox to receive DMARC reports to proactively identify and troubleshoot DKIM failures.

Marketer view

Marketer from Email Geeks says they use MXToolbox for checking DKIM signatures.

2022-07-12 - Email Geeks

Marketer view

Marketer from Email Geeks says they send to a stock RHEL VM with postfix+opendkim in debug mode, which helps catch weird algorithm issues.

2022-07-12 - Email Geeks

Ensuring continued email authentication

Troubleshooting DKIM failures is a crucial skill for anyone managing email deliverability. By systematically checking your DNS records, analyzing email headers, and leveraging both external validation tools and mailbox provider feedback, you can effectively diagnose and resolve most DKIM issues. Remember that a simple guide to DMARC, SPF, and DKIM emphasizes that proper configuration across all three is essential.

Maintaining a robust DKIM setup not only enhances your email security but also significantly improves your inbox placement rates, preventing your emails from being incorrectly flagged as spam or blocklisted (blacklisted). Consistent monitoring and proactive adjustments are key to ensuring your emails consistently reach their recipients, protecting your sender reputation in the long run.