DKIMPROBLEM.comDKIM Record Analysis

Common DKIM Problems

DKIM failures are usually caused by unsigned mail, missing selector records, malformed public keys, message changes after signing, or signing domains that do not align with the visible From address.

Problem What Happens Typical Cause
No DKIM signature Message is unsigned Sending system is not configured to sign mail.
No DKIM record Verification fails Selector DNS record does not exist.
Wrong selector Public key not found Sending server uses an incorrect selector name.
Incorrect public key Signature verification fails DNS contains the wrong public key.
Private/public key mismatch DKIM returns fail Private key does not match the published public key.
Corrupted DNS record Verification fails Public key was copied incorrectly or truncated.
Invalid DKIM syntax Verification error Malformed DKIM TXT record.
Expired signature Verification may fail The x= tag has passed.
Future timestamp Signature rejected The t= timestamp is in the future because of clock issues.
Clock skew Unexpected failures Sending server clock is inaccurate.
Message modified in transit Signature fails Headers or body changed after signing.
Mail gateway altered message Signature invalid Security gateway rewrites headers or body.
Mailing list modifications DKIM often fails Footer added or subject modified.
Line wrapping changes Body hash mismatch Long lines reformatted by an intermediate system.
Whitespace changes Body hash mismatch Canonicalisation does not tolerate the modification.
Incorrect canonicalisation Verification fails Sender chose unsuitable simple or relaxed canonicalisation options.
Body truncated Body hash mismatch Message cut short during delivery.
Header rewritten Header hash mismatch Signed headers altered after signing.
Missing signed headers Verification error Required headers removed.
Duplicate headers Unexpected verification results Multiple copies of signed headers.
Selector rotated too early Old mail fails Old selector removed before messages finished delivering.
Weak key length Treated as insecure 512-bit keys or short RSA keys.
Unsupported algorithm Verification ignored Obsolete algorithms used.
DNS lookup failure Temporary verification error Public key cannot be retrieved.
DNS timeout Temporary failure Resolver unable to fetch selector.
DNSSEC issues Temporary failure DNS validation problems.
Oversized DNS record Key not retrieved correctly Public key exceeds DNS limits or is not split correctly.
CNAME issues Key lookup fails Incorrect use of CNAMEs for selectors.
TXT formatting errors Key parsing fails Quotes or spaces incorrect.
Multiple selector records Unexpected behavior Conflicting DNS records.
Using old selector Verification fails Mail server not updated after key rotation.
Missing key rotation Security weakness Same DKIM key used indefinitely.
Compromised private key Signatures cannot be trusted Key leaked or stolen.
Multiple DKIM signatures One or more fail Normal when multiple services sign, but can be confusing.
Third-party service not signing Missing authentication Marketing or CRM platform not configured for DKIM.
Alignment failure DMARC fails despite valid DKIM Signing domain does not align with the visible From domain.
Using default vendor domain Poor alignment Mail signed as vendor.com instead of your domain.

A DKIM record can look correct in DNS while real messages still fail if the sending system uses the wrong selector, the private key does not match, or the message is modified after signing.

Best Practices

  • Use 2048-bit RSA keys where supported.
  • Rotate DKIM keys periodically, for example every 6 to 12 months.
  • Leave old selectors published for a period after rotation so delayed messages can still verify successfully.
  • Use relaxed/relaxed canonicalisation unless you have a specific reason not to.
  • Ensure the DKIM signing domain aligns with the visible From domain if you use Domain-based Message Authentication, Reporting, and Conformance (DMARC).
  • Monitor DKIM failures through DMARC aggregate reports.
  • Test from multiple mail providers after any DKIM change.
  • Protect private keys carefully and restrict access to the signing server.

For a DKIM checking tool, findings can be grouped into Signing Problems, DNS Problems, Cryptographic Problems, Message Integrity Problems, Alignment Problems, Operational Warnings, and Temporary Errors.