Why does MXToolBox say my DKIM Signature is not verified?

Key findings

• Tool discrepancies: MXToolBox might show a DKIM signature as unverified even when other authentication tools confirm it is valid.
• Header formatting: Issues can arise from stray whitespace or header unfolding problems in the email's raw header, which MXToolBox's checker may misinterpret.
• DNS record syntax: If the DNS record itself is syntactically correct and other tools pass it, the issue is likely with the specific testing method.
• Contextual validation: Real-world deliverability (emails landing in inboxes) is a more accurate indicator than a single tool's report.

Key considerations

• Cross-check results: Always verify your DKIM status with multiple tools. This helps determine if the issue is widespread or specific to one checker. Our email deliverability checker can provide a second opinion.
• Examine raw headers: If you're seeing issues, inspect the raw email headers for any anomalies or unusual formatting that might confuse verification tools.
• DNS record length: For long DKIM strings, ensure your DNS provider handles them correctly by segmenting them with quotes. This is standard practice and should not cause issues.
• Monitor deliverability: Focus on actual email delivery rates and inbox placement. If emails are reaching recipients without problems, a single tool's error might be negligible. Find out why your emails are going to spam.

Key opinions

• Tool limitations: Many marketers have observed that MXToolBox can sometimes report false negatives for DKIM, suggesting a potential glitch or sensitivity in its checker.
• Trusting other tools: If other reputable DKIM validation tools (like Email Stuff or Red Sift) show your DKIM as valid, marketers tend to trust those results more.
• Focus on outcome: The primary concern for marketers is whether emails are being delivered to the inbox without issues, not necessarily if every single tool gives a perfect green light.
• Header sensitivity: Some attribute the issue to subtle formatting errors or stray characters in the email header itself, which might be a copy-paste error into the tool.

Key considerations

• Multiple validations: Always use more than one validation tool to get a comprehensive view of your DKIM setup. Our email deliverability tester can assist.
• Real-world testing: Send test emails to various providers (Gmail, Outlook, Yahoo) and check the raw headers within those clients to confirm DKIM pass statuses directly.
• DNS configuration: Ensure your DNS TXT record for DKIM is correctly formatted, even if it requires breaking the string into segments for longer keys. Consult our guide on common DKIM selectors.
• Ignoring minor warnings: If all other indicators point to a healthy email setup and deliverability, some marketers advise not to over-stress about an isolated false positive from a single tool.

Key opinions

• Whitespace sensitivity: A common expert opinion is that tools like MXToolBox can be overly sensitive to stray whitespace or header unfolding issues when analyzing email headers, leading to false negatives.
• DNS record versus signature: Experts differentiate between the DKIM DNS record being correct (which most tools agree on) and the email's actual DKIM signature potentially having an issue as seen by only one tool.
• Testing environment impact: The specific method or environment used by a testing tool can influence its results, sometimes leading to reports that don't reflect real-world email authentication.
• Actual deliverability is key: If emails are being successfully delivered and authenticated by major mailbox providers, the specific warnings from a single tool are often not a cause for alarm.

Key considerations

• Investigate header purity: When an issue is reported, carefully check the raw email header for any extraneous characters or incorrect line breaks that might interfere with signature validation by tools.
• Consult DMARC reports: DMARC aggregate and forensic reports provide a comprehensive overview of how ISPs are validating your DKIM signatures. These reports are often more reliable than single-point checkers. Use our guide to understanding DMARC reports.
• Review signing process: If the issue persists across multiple tools, review the email sending platform's DKIM signing process to ensure the correct domain and selector are being used. You can also review why DKIM fails for Outlook.com.
• Consider tool's purpose: Recognize that validation tools perform specific checks; a 'not verified' status might highlight a technical nuance that doesn't universally impede deliverability. For example, some validators might struggle with specific cryptographic hash arguments.

Key findings

• Standard compliance: DKIM (RFC 6376) specifies how email signatures are created and verified. Any deviation, even subtle, can cause verification failures.
• Header canonicalization: The DKIM specification includes canonicalization algorithms (simple and relaxed) to handle minor variations in email headers and body content, minimizing the impact of whitespace and line folding. Problems with this can lead to DKIM body hash mismatch failures.
• DNS record format: DKIM public keys are stored as TXT records in DNS. Long keys are typically split into multiple string literals, which DNS resolvers concatenate. This process is standard and supported by DNS. Learn more about decoding DKIM temperror.
• Key size and algorithms: The RFC specifies acceptable key lengths (e.g., 1024-bit or 2048-bit) and hashing algorithms (e.g., rsa-sha256). Some older systems or specific validators might have preferences or limitations regarding these.

Key considerations

• Strict canonicalization: Although relaxed canonicalization is often used, ensuring your email sending system generates headers and bodies as cleanly as possible, even adhering to strict canonicalization, can reduce parsing issues by various tools.
• DNS propagation: After setting up or modifying a DKIM record, allow sufficient time for DNS propagation. Tools might report unverified status if they query a DNS server that hasn't updated yet. You can see how to verify SPF, DKIM, and DMARC.
• Tool limitations vs. RFC: Understand that a tool's failure report doesn't always mean your setup violates the RFC. It could mean the tool itself has a limitation or a slightly different interpretation of the standard.
• AWS specific CNAMEs: For services like Amazon SES, specific CNAME records are required for DKIM verification. Verify that these are correctly entered if using such providers.