D
DKIM Creator

Common DKIM Errors and How to Fix Them

Troubleshoot DKIM failures, signature verification errors, and DNS issues. Learn how to diagnose and fix the most common DKIM problems.

Last updated: 2026-02-04

DKIM errors can hurt your email deliverability. Here's how to diagnose and fix the most common issues.

DKIM Signature Verification Failed

Symptoms: Emails fail DKIM checks. Headers show dkim=fail.

Common causes:

Message was modified in transit

Mailing lists, email forwarders, or security gateways may alter the message body or headers, breaking the signature.

Wrong public key in DNS

The public key doesn't match the private key used to sign. Often happens after key rotation.

DNS record has typos

Copy/paste errors in the base64 public key, or extra spaces/characters.

Canonicalization mismatch

Using simple canonicalization when relaxed is needed to handle transit modifications.

Fixes:

  1. Verify your DNS record matches exactly what your mail server expects
  2. Check for extra spaces or characters in the DNS TXT record
  3. Use relaxed/relaxed canonicalization
  4. If using a forwarder, consider ARC (Authenticated Received Chain)

Test your setup

Send a test email to a service like mail-tester.com to see exactly why DKIM is failing.

DKIM Record Not Found

Symptoms: DKIM check returns "no key" or "record not found."

Common causes:

  1. Wrong selector — The selector in your email signature doesn't match your DNS record
  2. DNS propagation — Recent changes haven't propagated yet
  3. Missing underscore — Record should be at selector._domainkey.domain.com (note the _domainkey)
  4. Wrong record type — Should be TXT, not CNAME (unless your provider specifically requires CNAME)

Fixes:

1

Verify the selector

Check your email headers for the s= tag. The DNS record must be at that exact selector.

2

Check DNS directly

Query your DNS: dig TXT selector._domainkey.yourdomain.com or use an online DNS lookup tool.

3

Wait for propagation

DNS changes can take up to 48 hours. Check with a tool that queries multiple DNS servers worldwide.

Key Too Short / Key Length Error

Symptoms: DKIM check warns about key size, or fails with "key too short."

The issue: You're using a 512-bit or very old 768-bit key. Modern standards require at least 1024 bits.

Fix: Generate a new 2048-bit key pair and update your DNS record.

Generate a secure 2048-bit key

Replace weak keys with modern, secure DKIM keys.

Generate New Keys

DKIM Key Revoked

Symptoms: DKIM check shows "key revoked" or verification fails with an empty key.

The issue: The DNS record has an empty p= tag (p=), which signals the key has been revoked.

Fix:

  • If intentional, set up a new key with a new selector
  • If accidental, restore the public key to the DNS record

Body Hash Mismatch

Symptoms: bh= (body hash) verification fails specifically.

Common causes:

  • Email body was modified after signing (footer added, encoding changed)
  • Content-length issues from mail servers truncating or modifying content
  • HTML sanitization changing the body

Fix: This is often caused by intermediate systems. Check if you have email security appliances, mailing list software, or forwarding rules that modify message bodies.

Multiple DKIM Records Conflicting

Symptoms: Inconsistent DKIM results, sometimes passing, sometimes failing.

The issue: Multiple TXT records at the same selector with different keys, or conflicting records.

Fix:

  1. Query DNS to see all TXT records at the selector
  2. Remove duplicate or outdated records
  3. Keep only the single current public key

Selector Mismatch

Symptoms: DKIM signature present but can't be verified because the key isn't found.

The issue: Email is signed with selector selector1 but DNS record is at google.

Fixes:

  • Update your mail server to use the correct selector that matches your DNS
  • Or add a DNS record for the selector your mail server is using

DNS TXT Record Too Long

Symptoms: DNS record won't save, or is truncated.

The issue: 2048-bit keys produce long base64 strings. Some DNS providers have TXT record limits.

Fixes:

  1. Split the record — Many DNS providers support splitting long TXT records into multiple strings
  2. Use 1024-bit key — Less secure but fits in any DNS provider's limits
  3. Check provider documentation — Some providers require specific formatting for long records

Most modern DNS providers support long TXT records either directly or via string concatenation. Check your provider's documentation.

Testing Mode Warning

Symptoms: DKIM passes but shows "testing mode" or t=y flag.

The issue: Your DKIM record includes t=y, indicating the key is in testing mode. Some receivers may handle failures differently.

Fix: Once you've confirmed DKIM is working, remove the t=y flag from your DNS record:

- v=DKIM1; k=rsa; t=y; p=MII...
+ v=DKIM1; k=rsa; p=MII...

Quick Diagnostic Checklist

When troubleshooting DKIM:

  1. Check email headers — Look for DKIM-Signature and note the d= and s= values
  2. Verify DNS record exists — Query {selector}._domainkey.{domain}
  3. Compare keys — Ensure the DNS public key matches your private key
  4. Check for modifications — Are forwarders or security tools altering emails?
  5. Verify record syntax — No extra spaces, complete base64 string

Related Articles

Need new DKIM keys? Generate secure key pairs with DKIM Creator.

Generate fresh DKIM keys

Create new key pairs when rotating keys or fixing configuration issues. Free and instant.

Generate DKIM Keys