DKIM Troubleshooting: Fix Common Issues
DKIM signature failures? DNS errors? Authentication issues? This guide provides step-by-step solutions to the most common DKIM problems you'll encounter.
Common DKIM Errors
1. DKIM Signature Failed (dkim=fail)
The most common DKIM error. The signature exists but doesn't match the email content.
How to diagnose:
- Check DMARC aggregate reports for failing IP addresses
- Look for pattern: Do failures come from one source?
- Test email directly (not through mailing list/forwarder)
- Compare DKIM signature headers with body hash in email source
Solutions:
- If failures are from mailing lists: Add "List-Unsubscribe" header to reduce modifications
- If failures are from forwarders: Use SRS (Sender Rewriting Scheme) or ARC
- Ensure mail server isn't modifying content after signing
- Use relaxed canonicalization (c=relaxed/relaxed)
2. DKIM PermError (Permanent Error)
DNS record is malformed, missing, or has syntax errors.
Common causes:
- DNS record doesn't exist for selector (deleted or never published)
- Public key missing or malformed (p= tag empty or invalid Base64)
- DNS record exceeds 255 character limit per string
- Incorrect DNS record type (should be TXT)
- Special characters not properly escaped
How to fix:
# 1. Test DNS lookup manually
dig TXT selector._domainkey.yourdomain.com
# 2. If no record found, publish it correctly:
selector._domainkey.yourdomain.com TXT
"v=DKIM1; k=rsa; p=MIGfMA0GCS..."
# 3. If record too long (>255 chars), split it:
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN"
"ADCBiQKBgQC..." (continued)
3. DKIM TempError (Temporary Error)
DNS lookup failed due to timeout or temporary DNS issues.
Common causes:
- DNS server temporarily down or slow to respond
- Network issues between receiving server and your DNS
- DNS rate limiting or firewall blocking
- Recently published record not yet propagated
Solutions:
- Wait and retry - TempErrors usually resolve themselves
- Check DNS server uptime and response times (use monitoring tools)
- Use reliable DNS providers (Cloudflare, Route53, etc.)
- Set appropriate TTL values (3600-86400 seconds)
4. DKIM Selector Not Found
Email header references a selector that doesn't exist in DNS.
Example error:
DKIM-Signature: v=1; a=rsa-sha256;
s=march2025; (← selector)
d=yourdomain.com;
# But DNS lookup fails:
march2025._domainkey.yourdomain.com NOT FOUND
Solutions:
- Verify selector name in email header matches DNS record name
- Check for typos in selector name
- If recently rotated keys, ensure old selector still published for 48 hours
- Publish the missing selector or update mail server config
Step-by-Step DKIM Diagnostics
Check Email Source
View raw email source to see DKIM signature headers and authentication results. Look for DKIM-Signature header and Authentication-Results.
Verify DNS Record Exists
Use dig or nslookup to check DNS:
dig TXT selector._domainkey.yourdomain.com
# Should return: v=DKIM1; k=rsa; p=...
Validate Public Key Format
Public key must be valid Base64 encoded string. No spaces, no line breaks in p= tag. Should start with MII or MIG for RSA keys.
Test Private/Public Key Match
Generate hash from both keys and compare:
openssl rsa -in private.pem -pubout -outform PEM | openssl md5
echo "p=value" | base64 -d | openssl md5
# Hashes should match
Send Test Email
Send to Gmail or mail-tester.com and check Authentication-Results header. Should show dkim=pass.
Check DMARC Reports
Review aggregate reports for DKIM failures. Look for patterns: specific IPs, ESPs, or time periods with failures.
Quick Fix Checklist
DNS Record Published
selector._domainkey.yourdomain.com TXT record exists
Selector Name Matches
Email header s= tag matches DNS record name
Public Key Valid Base64
p= tag contains valid Base64 encoded RSA public key
Private/Public Keys Match
Private key on mail server corresponds to public key in DNS
DNS Propagated (48 hours)
Wait 48 hours after DNS changes before testing globally
Relaxed Canonicalization Used
c=relaxed/relaxed allows minor modifications without breaking signatures
Key Size 2048-bit or Higher
1024-bit keys deprecated by Gmail/Microsoft - use 2048-bit RSA
Advanced Troubleshooting
Key Rotation Gone Wrong
If DKIM suddenly fails after rotating keys:
- Verify new selector is published in DNS and propagated globally
- Check mail server config updated to use new selector name
- Ensure old selector still active for 48 hours (in-flight emails)
- Test new selector with dig before removing old one
Multiple Email Services
Each ESP should use its own DKIM selector:
google._domainkey.yourdomain.com TXT "v=DKIM1;..."
sendgrid._domainkey.yourdomain.com TXT "v=DKIM1;..."
salesforce._domainkey.yourdomain.com TXT "v=DKIM1;..."
This prevents conflicts and makes troubleshooting easier.
Signature Expired
DKIM signatures have optional expiration (x= tag):
DKIM-Signature: v=1; a=rsa-sha256;
s=selector; d=domain.com;
x=1735689600; (← signature expires Jan 1, 2025)
If signatures expire too quickly, extend expiration or remove x= tag entirely.
- • Monitor DMARC reports weekly for DKIM failures
- • Set up alerts for DNS record changes or deletions
- • Use reliable DNS providers with high uptime (99.9%+)
- • Test DKIM after any mail server or DNS changes
- • Document all selectors, keys, and rotation schedules
- • Rotate keys every 6-12 months following zero-downtime process
- • Use c=relaxed/relaxed to tolerate minor content modifications
Automatic DKIM Monitoring & Alerts
TrustYourInbox monitors your DKIM health 24/7 and alerts you instantly when issues are detected. No more manual troubleshooting.