Home / Guides / DKIM Troubleshooting

DKIM Signature Failed? How to Debug and Fix It

A step-by-step guide to finding and fixing DKIM failures. Most issues come down to DNS misconfiguration or content modification.

How DKIM works (quick overview)

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The sending server signs the email with a private key, and the receiving server verifies the signature using a public key published in your DNS records.

If the signature doesn't match — because the DNS record is wrong, the key pair is mismatched, or the email was modified in transit — the DKIM check fails.

Step 1: Check email headers

Send a test email to a Gmail account. Open the email, click the three-dot menu, and select "Show original." Look for the Authentication-Results header:

Authentication-Results: mx.google.com;
  dkim=pass header.d=example.com header.s=relaypost;
  spf=pass (google.com: domain of [email protected])
  dmarc=pass (p=NONE)

If you see dkim=fail, note the reason code. Common reasons:

  • body hash did not verify — email content was modified after signing
  • no key for signature — DNS record not found at the selector
  • key too small — RSA key is less than 1024 bits (use 2048)
  • signature expired — the x= tag timestamp has passed

Step 2: Verify your DNS record

Check that your DKIM TXT record is published correctly. Replace selector with your actual DKIM selector:

dig TXT selector._domainkey.example.com +short

You should see a TXT record containing v=DKIM1; k=rsa; p=... with your public key. Common issues:

  • Record not found — wrong selector name or DNS not propagated yet
  • Record truncated — some DNS providers split long TXT records incorrectly
  • Wrong domain — record published on wrong domain or subdomain
  • CNAME instead of TXT — some providers require CNAME records that point to the key

Step 3: Check for content modification

DKIM signs specific headers and the email body. If anything modifies the signed content after signing, the signature breaks. Common culprits:

  • Mailing list software — adds footers, modifies Subject line, or rewrites From header
  • Email forwarding — some forwarding services modify headers or body
  • Anti-virus gateways — may add headers or modify content
  • Marketing tools — may rewrite links for tracking after DKIM signing

If forwarding or mailing lists are breaking DKIM, consider implementing ARC (Authenticated Received Chain) to preserve authentication through forwarding.

Step 4: Verify key pair match

The most common cause of DKIM failure is a mismatch between the private key (used to sign) and the public key (published in DNS). This happens when:

  • You rotated keys but only updated one side
  • You copied the wrong public key to DNS
  • Your email provider regenerated keys and you didn't update DNS

With RelayPost, DKIM keys are managed automatically during domain verification. If you see a DKIM failure, re-verify your domain in the dashboard to ensure the DNS record matches.

Step 5: Check key size

RSA keys smaller than 1024 bits are rejected by most ISPs. Google requires at least 1024 bits and recommends 2048 bits. If your key is too small, generate a new 2048-bit key pair and update both your signing configuration and DNS record.

Common DKIM failure scenarios

SymptomLikely CauseFix
dkim=fail (no key)DNS record missing or wrong selectorVerify selector name and DNS propagation
dkim=fail (body hash)Content modified after signingCheck for forwarding/mailing list modification
dkim=fail (bad sig)Key pair mismatchRe-publish correct public key to DNS
dkim=neutralNo DKIM signature presentEnable DKIM signing in your email provider
dkim=temperrorDNS timeoutCheck DNS server health, reduce TTL

DKIM with RelayPost

RelayPost handles DKIM automatically:

  • 2048-bit RSA keys generated during domain setup
  • DNS records provided — just add the CNAME or TXT record
  • Automatic signing of all outgoing email
  • Key rotation managed by the platform

If DKIM is failing for a RelayPost-sent email, re-verify your domain in the dashboard to check DNS record status.

Related guides

Frequently asked questions

What does 'DKIM signature failed' mean?

It means the receiving mail server could not verify the DKIM signature on your email. This happens when the signature in the email header doesn't match the public key published in your DNS records, or when the email content was modified in transit.

Does DKIM failure cause emails to go to spam?

Not always, but it significantly increases the chance. ISPs use DKIM as one of several signals. A DKIM failure combined with no DMARC policy or poor sender reputation will almost certainly result in spam placement or rejection.

How do I test if my DKIM is working?

Send a test email to a Gmail account and click 'Show original' in the three-dot menu. Look for 'DKIM: PASS' in the authentication results. You can also use online tools like MXToolbox DKIM Lookup or mail-tester.com.

Can I have multiple DKIM records for one domain?

Yes. Each DKIM record uses a unique selector (e.g., s1._domainkey.example.com, s2._domainkey.example.com). This allows multiple services to sign emails for the same domain. Each service uses its own selector and key pair.

DKIM that just works

RelayPost handles DKIM signing and key management automatically. Start free.

Get Started Free