DKIM Check Failing? A Systematic Troubleshooting Guide
DKIM failing? Walk through a systematic troubleshooting process to identify and fix DKIM authentication failures, from DNS issues to key problems.
Last updated: 2026-04-05
You checked your email headers, ran a deliverability test, or got a bounce notification — and somewhere in the results, you see dkim=fail. Your DKIM authentication is not passing. Emails might be landing in spam, getting rejected outright, or silently losing trust with receiving mail servers.
Don't panic. Most DKIM failures come from a small set of well-understood problems, and nearly all of them are fixable. The key is working through the possible causes systematically rather than guessing. This guide gives you a clear diagnostic path from "DKIM is failing" to "DKIM is fixed."
Check Your DKIM Record First
Before you start changing settings, confirm what the outside world actually sees when it looks up your DKIM record. Many failures come down to a DNS record that's missing, misconfigured, or pointing to the wrong selector.
If the lookup finds nothing, your problem is in DNS. If the record exists but looks correct, the issue is likely somewhere else in the signing or delivery chain. Either way, you now have a starting point.
Common Reasons DKIM Fails
DKIM authentication can fail for five main reasons. Work through each one in order — the most common causes are listed first.
1. No DKIM Record Found in DNS
The receiving server looks up your public key at selector._domainkey.yourdomain.com. If nothing is there, DKIM fails immediately. This happens when the record was never published, when it was accidentally deleted during a DNS migration, or when you're using the wrong selector name.
DNS propagation can also be a factor. If you just added the record, it can take up to 48 hours for all DNS resolvers worldwide to see it. Use our free DKIM checker above to see what's currently published.
2. Key Mismatch Between DNS and Mail Server
DKIM uses a key pair — a private key on your mail server and a matching public key in DNS. If these don't match, every single email will fail DKIM verification. This typically happens after a key rotation where only one side was updated. You generated a new pair at dkimcreator.com, updated the DNS record with the new public key, but forgot to install the new private key on the server — or the other way around.
3. Message Modified After Signing
DKIM signs the email headers and body at the moment of sending. If anything changes after that point — a mailing list appends an unsubscribe footer, a security gateway rewrites URLs, an antivirus scanner modifies an attachment — the signature becomes invalid. This is the hardest failure to troubleshoot because your configuration is technically correct. The problem is something in the delivery path altering the message.
4. DNS Record Formatting Problems
Your DKIM record exists, but it contains errors that prevent parsing. Common issues include a truncated public key (especially with 2048-bit keys on DNS providers that have character limits), missing v=DKIM1 version tag, extra whitespace or line breaks in the key value, and missing semicolons between tags. A receiving server that cannot parse the record returns a permerror result.
5. Algorithm or Key Size Issues
Older DKIM keys using SHA-1 (a=rsa-sha1) are increasingly rejected by major providers. Gmail and Microsoft now prefer SHA-256 (a=rsa-sha256). If your mail server is signing with an outdated algorithm or a very short key (512-bit), some receivers will treat the signature as invalid even if it technically verifies.
Symptoms vs. Likely Causes
When you see a DKIM failure, the specific symptoms can point you toward the root cause.
| Symptom | Likely Cause |
|---|---|
| Lookup returns "no record found" | Record not published, wrong selector name, or DNS propagation delay |
| Record exists but all emails fail | Public/private key mismatch — keys were rotated and only one side updated |
| Fails only on forwarded or list emails | Message body modified after signing by a mailing list or forwarder |
| permerror in authentication results | DNS record syntax error — truncated key, missing tags, or bad formatting |
| Fails intermittently | DNS timeout (temperror), multiple conflicting records, or inconsistent signing across servers |
| DKIM passes but DMARC fails | Alignment issue — signing domain (d= tag) does not match the From: header domain |
Systematic Debugging Checklist
Follow these steps in order to isolate the problem efficiently.
Look up your DKIM record
Use our free DKIM test tool to check if a record exists at the correct selector. Note the exact selector your mail server uses — check the s= tag in a DKIM-Signature header from a sent email. If the record is missing, publish it. If it exists, move to the next step.
Verify the selector matches your signing configuration
The selector in your DNS record must match the selector your mail server uses when signing. Open a sent email, find the DKIM-Signature header, and look at the s= value. If it says s=s1 but your DNS record is at default._domainkey, that's the mismatch. Fix the DNS hostname or update your server configuration.
Confirm the key pair matches
If the selector is correct but emails still fail, the public and private keys may be out of sync. The simplest test: generate a fresh key pair, update both the DNS record and the mail server at the same time, then test again. If it passes, the old keys were mismatched.
Test direct delivery vs. forwarded delivery
Send an email directly to a personal Gmail or Outlook account. If DKIM passes on direct delivery but fails when the message goes through a mailing list, forwarder, or security gateway, the problem is message modification in transit — not your configuration.
Check your DNS record syntax
Look at the raw TXT record value. Verify it starts with v=DKIM1, has a p= tag with the full public key, and uses semicolons between tags. If you have a 2048-bit key, make sure your DNS provider didn't truncate it. Some providers require you to split long values across multiple strings.
Check DMARC alignment
If DKIM passes but DMARC still fails, the issue is alignment. The domain in your DKIM signature's d= tag must match (or be a subdomain of) the domain in your From: header. Third-party services that sign with their own domain won't help your DMARC result. Check your DMARC configuration at dmarcrecordchecker.com.
When to Regenerate Your DKIM Key
Sometimes the fastest fix is to start fresh with a new key pair. Consider regenerating when:
- You can't determine whether the current public and private keys match
- Your existing key is 1024-bit or smaller and you want to upgrade to 2048-bit
- Your key has been in use for over a year and you want to rotate for security
- You're migrating to a new email service and need a clean configuration
Generate a new key pair at dkimcreator.com. Publish the new public key in DNS first, wait for propagation, then switch your mail server to the new private key. Keep the old DNS record active for a few days so emails already in transit can still verify.
Don't delete the old record too early
When rotating DKIM keys, publish the new record alongside the old one (using a different selector). Switch your server to sign with the new key. Only remove the old DNS record after a few days, once all in-flight messages have been delivered or expired.
Preventing Future DKIM Failures
Once you've fixed the immediate problem, put safeguards in place so you don't end up troubleshooting the same issue again:
- Test after every change. Any time you modify DNS records, migrate email providers, or update mail server settings, run a DKIM check immediately with our free tool.
- Monitor continuously. DNS records can be accidentally deleted or overwritten during unrelated changes. Automated monitoring at deliverabilitychecker.com alerts you the moment your DKIM record changes or disappears.
- Document your selectors. Keep a record of which selectors are used by which sending services. This saves hours of troubleshooting when something breaks months later.
- Complete your authentication. DKIM works best alongside SPF and DMARC. Verify your SPF record at spfrecordcheck.com and your DMARC policy at dmarcrecordchecker.com.
Related Articles
Monitor Your DKIM Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring