Is DKIM signature case-sensitive and what causes DKIM tester errors?

Key findings

• Case sensitivity in tags: According to RFC 6376, the standard that defines DKIM signatures, tags within the signature MUST be interpreted in a case-sensitive manner. This applies to the tags themselves, not necessarily their values in all contexts.
• DNS records are not case-sensitive: While the DKIM signature's internal tags have case sensitivity, the domain names within the DNS records used for DKIM are typically not case-sensitive.
• Tester inconsistencies: Many DKIM validation errors reported by online testers are due to bugs or strict interpretations within the tools themselves, rather than actual failures by major inbox providers like Gmail.
• Domain and identity mismatches: A common tester bug involves failures when the domain in the `d=` tag (signing domain) and the `i=` tag (Agent or User Identifier) differ in case. For more on related issues, see our guide on fixing DKIM body hash failures.

Key considerations

• Trust real-world results: If emails pass DKIM validation with major mailbox providers (like Gmail, Yahoo, Outlook) but fail with a specific online tester, it's often a sign of a bug in the tester, not a misconfiguration on your end. Consider sending a test email and checking the email deliverability tester to view authentication results.
• Consult the RFC: For definitive answers on DKIM protocol specifications, always refer to the official RFC 6376 documentation.
• Standardization is key: Ensure consistency in your DKIM records and email headers to minimize potential issues, even if some systems are more forgiving than others.
• Troubleshooting methodology: When encountering DKIM errors, systematically check your DNS record, email headers, and then compare results across multiple receiving mail servers before concluding a tester is faulty.

Key opinions

• Tester specific issues: Many marketers report that a DKIM failure on one specific tester, like 'About My Email', does not necessarily translate to a failure with actual mailbox providers. This implies the tester might have unique sensitivities.
• Real-world validation: The most reliable test for DKIM (or any authentication) is to send mail to major ISPs (Internet Service Providers) such as Gmail, Outlook, or Yahoo and check their 'Authentication-Results' headers.
• SPF vs. DKIM priority: Some marketers note instances where their email seems to rely solely on SPF authentication, even when DKIM should also be present, suggesting potential issues in how their mail server handles DKIM signing.
• Message modifications: Even subtle alterations to email messages after signing can cause DKIM failures, although this is usually detected by all verifiers. This sensitivity makes DKIM robust against phishing, as explored in articles like Unintentional DKIM failures.

Key considerations

• Cross-platform testing: Always test your DKIM setup by sending emails to multiple major mailbox providers (e.g., Gmail, Outlook, Yahoo) to get a comprehensive view of how your emails are authenticated.
• Examine authentication headers: Learn how to access and interpret the 'Authentication-Results' header in emails received by different ISPs. This header provides definitive information on SPF, DKIM, and DMARC pass/fail status. For more on this, check our guide on how to troubleshoot DKIM failures.
• Verify DKIM keys and selectors: Ensure your DKIM key and selector (used in the DNS record) are correctly configured and match what your email service provider is using. You can find a list of common DKIM selectors here.

Key opinions

• DNS is not case sensitive: Experts confirm that while DKIM tags might have case-sensitive requirements, the underlying DNS system where DKIM records reside is inherently case-insensitive.
• Tester bugs are common: Several experts suggest that a DKIM failure reported by an online tester, especially if not replicated by major email providers, is likely a bug in the tester itself. This aligns with observations about validation tools sometimes showing errors for valid DKIM records.
• Prioritize authentication-results: The authoritative source for DKIM validation status is the Authentication-Results header provided by the recipient mail server.
• Case sensitivity in specific fields: One specific bug identified by an expert pointed to a tester failing if the domain in the `d=` tag and the `i=` tag differed only in case. This pinpoints a very specific scenario that could lead to false negatives.

Key considerations

• Don't overreact to single tester errors: If you're not seeing DKIM failures across multiple validation points, especially actual recipient mailboxes, a single tester's error should be investigated as a potential bug rather than a critical deliverability issue. This is particularly true if you are experiencing DKIM permerror on specific platforms like Yahoo Mail.
• Seek header analysis: When in doubt, request the raw email headers from a 'real' email delivery to a major provider. These headers contain the definitive authentication results.
• Debugging tester code: Experts with access to tester code can sometimes identify and fix specific bugs, as demonstrated in the provided Slack discussion.
• General DKIM troubleshooting: If you are consistently seeing DKIM failures across multiple providers, consider common issues like why DKIM fails and how to fix it, including DNS record problems or email content modifications.

Key findings

• Tag interpretation: RFC 6376, Section 3.4, explicitly states that tags within the DKIM-Signature header field MUST be interpreted in a case-sensitive manner. If a tag is not recognized, it should be ignored.
• Signature syntax errors: A verifier is instructed to return a PERMFAIL (permanent failure) with a 'signature syntax error' if a required tag is missing or malformed.
• Header field processing: The RFC details how header fields should be processed, including canonicalization rules, which dictate how variations in whitespace or case in header values might affect the calculated hash.
• Canonicalization matters: The chosen canonicalization algorithm (simple or relaxed) impacts how sensitive the signature verification is to changes in whitespace and case within the email's header and body. This directly impacts potential DKIM body hash mismatch failures.

Key considerations

• Strict adherence: While some systems might be more lenient, best practice dictates strict adherence to the RFC's case-sensitivity requirements for DKIM signature tags to ensure universal compatibility and validation. This is particularly relevant when dealing with complex OpenDKIM validation issues.
• RFC 6376 is the source of truth: Any discrepancies found in testers or perceived behavior should always be cross-referenced with the official DKIM Signatures RFC 6376 to confirm the correct implementation.
• Impact on debugging: When troubleshooting, understanding the protocol's explicit rules, including case sensitivity for tags, helps pinpoint the exact cause of validation failures, whether it's a misconfiguration or a faulty tool.