Summary
A 'DKIM permerror (no key for signature)' in email headers signifies a permanent authentication failure, indicating that the receiving server could not locate the necessary public key in the sender's DNS to validate the email's DKIM signature. This error primarily stems from issues with the published DKIM DNS record, such as it being missing, incorrectly configured, or having a selector that does not match the one used in the email. Resolving this requires verifying and correcting the DKIM public key record in the sending domain's DNS settings.
Key findings
- Permanent Error: A 'DKIM permerror (no key for signature)' indicates a permanent validation failure, not a temporary DNS issue, because the public key is explicitly missing or incorrectly published in DNS.
- Public Key Absence: The core problem is the receiving server's inability to find the public key in the sending domain's DNS, which is essential for verifying the email's authenticity.
- Selector Mismatch or Error: A frequent cause is a mismatch between the 'selector' (s= tag) in the email's DKIM signature and the one specified in the DNS record, or a typo within the selector itself.
- DNS Record Misconfiguration: Common issues include the DKIM TXT or CNAME record being entirely absent, incomplete, malformed, or containing a typographical error.
- Client's Responsibility: It is typically the sending domain owner's responsibility to obtain the correct DKIM public key and selector from their Email Service Provider (ESP) and publish it accurately in their DNS.
Key considerations
- Verify DNS Record: Meticulously check the DKIM TXT or CNAME record in your domain's DNS settings, ensuring it exactly matches the one provided by your Email Service Provider (ESP).
- Match Selector: Confirm that the 'selector' used in the email's DKIM-Signature header, often found as 's=', precisely corresponds to the selector in your published DNS record, e.g., 'selector._domainkey.yourdomain.com'.
- Check for Typos: Even small typographical errors in the selector, domain name, or the public key value within the DNS record can lead to this error.
- DNS Propagation: After making any changes to DNS records, allow sufficient time, typically 24-48 hours, for these changes to propagate across the internet.
- Use Diagnostic Tools: Employ online DKIM checkers or DNS lookup tools, such as 'dig', to externally verify the presence and correctness of your DKIM record for the specific selector.
- Consult ESP Guidelines: Refer to your Email Service Provider's documentation for the exact DKIM record hostname and value you need to publish, as these are specific to your sending service.
What email marketers say
10 marketer opinions
A 'DKIM permerror (no key for signature)' appearing in email headers signifies a complete and unrecoverable authentication failure for that message. This specific error indicates that the receiving email server was unable to retrieve the essential public key from the sender's domain name system (DNS), a key component needed to verify the email's digital signature. Most often, this issue stems from a problem with how the DKIM DNS record is published, such as it being absent, containing typos, or the selector used in the email not aligning with the one present in DNS.
Key opinions
- Critical Verification Failure: This error signifies a complete inability to verify the email's authenticity, as the necessary cryptographic public key cannot be retrieved.
- DNS Record Integrity: The primary cause is a flawed or absent DKIM DNS record-whether TXT or CNAME-at the specified selector sub-domain.
- Selector Precision: A frequent trigger is an exact mismatch between the 'selector' indicated in the email's DKIM-Signature header and the one published in DNS, or an incorrect selector name itself.
- Key Value Accuracy: Beyond existence, the public key value within the DNS record must precisely match what the email sending service expects and uses for signing.
- Propagation Timelines: DNS changes, including DKIM record updates, require time for global propagation, during which the error may persist.
Key considerations
- Examine DNS Record: Rigorously inspect your domain's DNS settings for the DKIM record, confirming its existence, complete entry, and proper formatting, especially if it's a CNAME or TXT type.
- Confirm Selector Alignment: Ensure the DKIM selector, as indicated in your outgoing email headers (the 's=' tag), precisely corresponds to the selector portion of your published DNS record.
- Validate Public Key Value: Verify that the public key string within your DNS record exactly matches the key provided by your email service provider, paying close attention to any character discrepancies.
- Factor in DNS Propagation: Be patient, as updates to DNS records can take up to 48 hours to fully propagate worldwide, meaning the error might persist temporarily after changes are made.
- Utilize DNS Lookup Tools: Leverage online DKIM validators or command-line tools like 'dig' to externally check if your DKIM record is correctly published and resolvable for the specific selector.
- Adhere to Service Provider Instructions: Always cross-reference your DNS setup with the specific DKIM configuration instructions provided by your Email Service Provider, as requirements can vary.
Marketer view
Marketer from MXToolbox explains that a DKIM "permerror (no key for signature)" signifies that the receiving server was unable to retrieve a valid public key from the sending domain's DNS for the specific DKIM selector provided in the email's signature. This typically points to issues with the published DKIM DNS record, such as the record not existing, being malformed, or the selector used in the email not matching the one in DNS. Resolving this involves verifying the DKIM public key record in DNS for the correct selector and ensuring it is published accurately.
25 Jan 2025 - MXToolbox
Marketer view
Marketer from Mailtrap Blog describes a DKIM "Permerror: no key for signature" as a permanent failure where the email's DKIM signature cannot be verified because the public key specified by the selector is missing or incorrect in the domain's DNS records. The most common causes are a misconfigured or unpublished DKIM DNS record, a typo in the selector name, or a mismatch between the key provided by the sending service and the one published. Resolution requires checking the DKIM record in DNS, confirming the selector, and ensuring the public key matches what the email sender expects.
25 Apr 2022 - Mailtrap Blog
What the experts say
3 expert opinions
When an email header displays 'DKIM permerror (no key for signature)', it signals a conclusive and permanent failure to authenticate the message. This means the recipient's server was unable to find the public cryptographic key in the sender's Domain Name System (DNS) records, which is crucial for validating the email's unique digital signature. The root cause is invariably a problem with the DKIM public key's DNS publication, such as the record being absent, incorrect, or the specific selector in the email's signature not matching the one published. Resolving this issue squarely falls on the sending domain, requiring them to accurately obtain and publish the necessary public key and its corresponding selector in their DNS.
Key opinions
- Permanent Authentication Failure: The 'DKIM permerror (no key for signature)' signifies a definitive and permanent failure to authenticate the email, indicating that the required public key is explicitly not available in DNS, not a temporary network issue.
- Public Key Unlocatable: The core problem is the receiving server's inability to find the specific public key in the sender's DNS that is essential for verifying the email's digital signature.
- Selector Mismatch: A frequent cause of this error is a mismatch between the 'selector' (s= tag) specified in the email's DKIM signature and the selector under which the public key is published in DNS, or an incorrect selector being used.
- DNS Record Incorrect: The error directly points to issues with the DKIM DNS record itself, such as it being missing, incomplete, containing incorrect information, or not being properly published.
- Domain Owner's Duty: It is the sending domain owner's responsibility to obtain the correct DKIM public key and selector from their Email Service Provider and ensure its accurate and proper publication in their domain's DNS records.
Key considerations
- DNS Record Verification: Thoroughly check your domain's DNS settings for the DKIM public key record, confirming its presence, accurate values, and absence of typographical errors.
- Selector Alignment Check: Confirm that the 'selector' value, visible as 's=' in your email's DKIM-Signature header, accurately matches the selector portion of your DKIM record published in DNS.
- ESP Key Retrieval: Obtain the precise DKIM public key and selector information directly from your Email Service Provider, as these details are unique to their service and your configuration.
- Diagnostic Tool Use: Utilize online DKIM validation tools or command-line DNS lookups to externally verify that your public key is correctly published and accessible via DNS for the specified selector.
- Recognize Permanent Nature: Understand that a 'permerror' is a persistent issue requiring a fix to your DNS setup, and it's not a temporary problem or a misdiagnosis by your ESP.
Expert view
Expert from Email Geeks explains that a "dkim=permerror (no key for signature)" in email headers signifies a permanent error because there is no public key published in DNS, directly contradicting a claim of it being a temporary DNS issue. Laura advises how to test if the key is in DNS using an authentication tool, details how to find the selector (s=) and domain (d=) values in email headers, and clarifies that the client's ESP is wrong if they state there is no issue. She stresses that the client needs to obtain the DKIM public key from their ESP and publish it in their DNS, providing an example of a public key format, and confirms this is the client's responsibility to fix.
19 Jan 2024 - Email Geeks
Expert view
Expert from Spam Resource explains that a "DKIM permerror (no key for signature)" occurs when the receiving server cannot locate the public key in DNS for the specified DKIM selector. This typically means the sender's DNS record for the public key is either missing, incorrectly published, or has an error in the selector used in the signature. To resolve this, the sending domain's DNS records for DKIM should be thoroughly checked to ensure the correct public key is published under the right selector.
22 Jun 2025 - Spam Resource
What the documentation says
5 technical articles
A 'DKIM permerror (no key for signature)' in email headers indicates that the recipient server failed to locate the necessary public key within the sender's DNS records, preventing the verification of the email's digital signature. This issue universally points to a misconfiguration in the domain's DKIM DNS entry, such as the record being absent, incorrect, or containing a selector that does not precisely match the one used in the email's signature.
Key findings
- Public Key Retrieval Failure: This error signifies that the receiving server actively tried but could not retrieve the corresponding public key from the sender's DNS for the specific selector included in the email signature.
- Selector-Key Dependency: The selector within the DKIM signature is crucial; it directs the receiving server to the exact location in DNS where the public key should be found, making its accuracy paramount.
- DNS Record Discrepancies: The problem typically originates from inaccuracies in the DNS record, including records being entirely missing, having incorrect hostnames, or containing typos in the public key string itself.
- Provider-Specific Implementations: While the core issue is universal, specific email service providers, such as Microsoft or Postmark, might require different DNS record types, like CNAME versus TXT, or particular formats for their DKIM keys.
- Propagation Time Criticality: Even correctly configured records require sufficient time for DNS changes to propagate across the internet before they become discoverable and verifiable by all receiving mail servers.
Key considerations
- Verify DNS Records Meticulously: Double-check the DKIM record, whether TXT or CNAME, in your domain's DNS settings. Ensure every character of the hostname-including the selector-and the public key value precisely matches what your email service provider supplies.
- Confirm Selector Consistency: Ensure the selector string, often found as 's=' in the email header's DKIM signature, exactly corresponds to the selector used in your DNS record's hostname, such as 'selector._domainkey'.
- Consult ESP Specifics: Always refer to your email service provider's or host's documentation, like Google Workspace, Microsoft 365, Postmark, cPanel, or Cloudflare, for the exact DKIM record details and recommended setup procedures.
- Allow for DNS Propagation: After publishing or updating your DKIM record, understand that it can take up to 24-48 hours for changes to fully propagate globally, during which the error might intermittently persist.
- Utilize DNS Zone Editor: Access your domain's DNS management interface, such as cPanel's DNS Zone Editor or Cloudflare's DNS settings, to directly inspect and modify the DKIM record, paying close attention to hostname and value accuracy.
Technical article
Documentation from Google Workspace Admin Help explains that a DKIM "no key for signature" error often indicates that the receiving server cannot find the public key associated with the signature's selector in the sending domain's DNS. This could be due to an incorrectly published DKIM record, a typographical error in the selector, or the record not having propagated fully. To resolve this, verify the DKIM record's presence and correctness in DNS, ensuring the selector matches what the sending server uses.
31 Mar 2025 - Google Workspace Admin Help
Technical article
Documentation from Microsoft Docs indicates that a "DKIM permerror (no key for signature)" when sending from Exchange Online or similar services signifies that the public key needed to verify the DKIM signature could not be found in the sender's DNS records. This often happens if the CNAME record pointing to the correct DKIM key is incorrect, missing, or has not propagated. Administrators should verify the DKIM CNAME records for their domains, ensuring they match the values provided by Microsoft 365, and allow for DNS propagation time.
19 Mar 2024 - Microsoft Docs
How do I fix DKIM failing body hash verification?
How do I interpret SpamAssassin DKIM test results and troubleshoot DKIM signature issues?
How to troubleshoot DKIM failures and which tools to use?
How to troubleshoot DKIM implementation issues and understand ARC-Seal in email headers?
What causes invalid RSA public key errors in DKIM records and how can I fix it?
Why does DKIM show a permerror (bad sig) only on Yahoo Mail?
