DKIM Failure: Invalid Email Signature

An invalid DKIM signature can make recipients doubt your emails' authenticity.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, proving they come from your domain and haven't been modified in transit. When DKIM fails, recipients see "dkim=fail" and may treat your emails as suspicious. Causes: missing or incorrect public key in DNS, signature broken by intermediate relay, wrong selector, or expired key. DKIM is essential for DMARC and sending reputation.

Symptoms of DKIM Failure

  • Email headers show "dkim=fail" or "dkim=neutral"
  • DMARC reports indicate DKIM failures
  • Some recipients reject or classify as spam
  • mail-tester.com tests show DKIM problem

Causes of DKIM Failures

  • Missing DNS key: The TXT record for the DKIM selector doesn't exist or was deleted.
  • Wrong selector: The email references a different selector than configured in your DNS.
  • Modified content: An intermediate relay (mailing list, forward) modified body or headers, breaking signature.

DKIM Diagnosis

  1. Find selector in email headers: look for "s=" in DKIM-Signature.
  2. Check record: dig TXT selector._domainkey.example.com
  3. Validate with dkimvalidator.com or mail-tester.com
  4. Verify your mail server correctly signs outgoing emails.

DKIM Monitoring with MoniTao

MoniTao monitors your DKIM records:

  • Alert if DKIM record disappears or changes
  • Verification of public key presence
  • Monitoring multiple selectors if you use them

Robust DKIM

  • Use 2048-bit keys minimum for security
  • Plan annual key rotation with dated selectors (s202401)
  • Keep old key active 1-2 weeks during rotation
  • Configure DKIM for each sending service (transactional, marketing, etc.)

FAQ - DKIM Fail

Why does DKIM fail after forwarding?

Forwarding can modify content (footer, headers), breaking signature. This is normal and ARC tries to solve it.

Can I have multiple DKIM selectors?

Yes, it's recommended. Each sending service can have its selector, making rotation and debugging easier.

How to generate a DKIM key?

Your mail server or email service usually does it for you. Otherwise: openssl generates public/private key pair.

Does DKIM protect against phishing?

Partially. DKIM proves origin but not intent. Combined with DMARC, it prevents spoofing of your domain.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing