Common DKIM Errors and How to Fix Them
Troubleshoot DKIM failures including 'DKIM not found', 'signature invalid', selector issues, and key problems. Learn what causes each error and how to resolve it.
Last updated: 2026-01-28
DKIM failures can tank your email deliverability. When your DKIM signature doesn't verify, receiving servers may reject your emails or send them to spam. This guide covers the most common DKIM errors and how to fix them.
Understanding DKIM Result Codes
Before diving into specific errors, understand the possible DKIM verification results:
| Result | Meaning | Action |
|---|---|---|
| pass | Signature verified successfully | No action needed |
| fail | Signature verification failed | Check signature and keys |
| none | No DKIM signature found | Ensure signing is enabled |
| neutral | Could not verify signature | Check DNS and key format |
| temperror | Temporary error during verification | Usually DNS timeout—retry |
| permerror | Permanent error | Fix malformed DKIM record |
Error: DKIM Record Not Found
What it means: The receiving server couldn't find a DKIM public key at the DNS location specified in the email signature.
Common causes:
1. Wrong selector: The selector in the DKIM-Signature header doesn't match your DNS record.
Check the signature header for s=selector. Then verify that record exists:
selector._domainkey.yourdomain.com
2. DNS record not created: The DKIM record was never added to DNS, or was added to the wrong domain/subdomain.
3. DNS propagation delay: If you just added the record, it may take up to 48 hours to propagate globally (though usually much faster).
4. Typo in DNS record name: The record exists but with a typo. Double-check the exact spelling of your selector and _domainkey.
How to fix:
- Verify your selector name in your email service's admin console
- Use our DKIM lookup tool to check if the record resolves
- Check your DNS provider's records for typos
- Wait for propagation if you just added the record
Check multiple locations
Use multiple DNS lookup tools or check from different geographic locations. Propagation can be inconsistent.
Error: DKIM Signature Invalid / Verification Failed
What it means: The DKIM signature exists, but the verification math doesn't check out. The decrypted signature hash doesn't match the calculated hash.
Common causes:
1. Email was modified in transit: Something changed the email after it was signed. Common culprits:
- Mailing lists that add footers
- Email forwarding services
- Security gateways that scan/modify content
- Antivirus software
2. Key mismatch: The public key in DNS doesn't correspond to the private key that signed the email. This happens after key rotation if DNS wasn't updated.
3. Partial body signing: If l= (body length) was set, only part of the body was signed. Content added after that point isn't covered.
4. Header modification: Some headers that were signed got modified or reordered in transit.
How to fix:
- Check if you're sending through a service that modifies emails
- Verify your public and private keys match
- Ensure your email service uses
c=relaxed/relaxedcanonicalization - Check for mailing lists or forwarding in the email path
Error: Selector Not Found
What it means: Similar to "DKIM record not found," but specifically indicates the selector portion couldn't be resolved.
Common causes:
1. Wrong selector configured: Your email service is using a different selector than what you published in DNS.
2. Multiple selectors: Some services use multiple selectors (like "google" and "google2"). You may have published only one.
3. Service-specific selectors: Each email service has its own selector. Google Workspace uses "google", Microsoft 365 uses "selector1", Mailchimp uses "k1", etc.
How to fix:
- Check your email service's documentation for the correct selector(s)
- Look at a sent email's headers to find the actual selector being used
- Add DNS records for all selectors your service might use
Error: Key Too Short / Weak Key
What it means: Your DKIM key is 512 or 1024 bits, which some receiving servers consider too weak.
Common causes:
1. Old key: DKIM keys generated years ago may use 1024-bit or shorter keys.
2. Service default: Some email services default to shorter keys to ensure DNS compatibility.
How to fix:
- Generate a new 2048-bit key
- Update your DNS with the new public key
- Update your email service with the new private key
- Most modern services handle this automatically if you re-enable DKIM
While 1024-bit keys technically still work, 2048-bit is the recommended minimum. Some DNS providers have character limits that require splitting long TXT records.
Error: Key Syntax Error / Malformed Record
What it means: The DKIM record exists but has formatting issues that prevent parsing.
Common causes:
1. Missing quotes: TXT records with spaces need to be quoted properly.
2. Truncated key: The public key got cut off, often due to copy-paste errors or DNS field length limits.
3. Invalid characters: Line breaks, special characters, or encoding issues in the key.
4. Missing required fields: DKIM records need v=DKIM1 and p= (public key) at minimum.
How to fix:
- Regenerate the DKIM record from your email service
- Check that the entire public key is present (they're long strings)
- Ensure proper TXT record formatting in your DNS provider
- For long keys, some DNS providers require splitting into multiple strings
Error: Algorithm Not Supported
What it means: The receiving server doesn't support the cryptographic algorithm specified in the signature.
Common causes:
1. Using ed25519: The newer ed25519-sha256 algorithm isn't universally supported yet.
2. Using sha1: Some servers reject rsa-sha1 as insecure.
How to fix:
- Use rsa-sha256, which has universal support
- If using ed25519, consider dual-signing with rsa-sha256 as fallback
Error: Expired Signature
What it means: The signature included an expiration timestamp (x=) and it's passed.
Common causes:
1. Delayed delivery: The email sat in a queue too long before delivery.
2. Replay detection: Some systems set short expirations to prevent replay attacks.
How to fix:
- This usually resolves itself with fresh emails
- If consistent, check if your email service sets unnecessarily short expirations
- Check your mail server for delivery delays
Error: DMARC Alignment Failure
What it means: DKIM passed, but the DKIM domain doesn't match the From address domain, failing DMARC alignment.
Common causes:
1. Third-party sender: A service like Mailchimp signs with their own domain, not yours.
2. Subdomain vs root domain: You're sending from marketing.example.com but DKIM uses example.com (or vice versa).
How to fix:
- Configure your third-party sender to use your domain in the DKIM signature
- Ensure DKIM signing domain matches your From address domain
- Check DMARC alignment mode (strict vs relaxed)
If you need to create a new DKIM record, dkimcreator.com can generate one for you.
Debugging Checklist
When troubleshooting DKIM issues, work through this checklist:
Check the signature
Look at a sent email's headers. Find DKIM-Signature and note the selector (s=) and domain (d=).
Look up the public key
Query selector._domainkey.domain in DNS. Verify the record exists and looks complete.
Check Authentication-Results
The receiving server's Authentication-Results header shows exactly why DKIM failed.
Test with a fresh email
Send a new test email to rule out one-time issues. Use mail-tester.com or similar services.
Verify service configuration
Check your email service's DKIM settings. Re-authenticate if needed.
Related Articles
Monitor Your DKIM Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring