Errors

DKIM Signature Verification Failed — Causes and Fixes

Verification fails when DNS’s public key doesn’t match the signer, the body changed in flight, or the selector TXT is missing or wrong. Headers tell you which one.

Common causes

  1. Key mismatch — you rotated keys but DNS still has the old one (or the opposite)
  2. Message altered — lists and some forwarders change the body
  3. Wrong selectors= in the message doesn’t match a TXT
  4. Truncated TXT — long keys split wrong at the DNS host

How to diagnose

Paste raw headers into DomainPreflight Email — it surfaces DKIM-Signature, selector, and whether things line up.

Fix it step by step

Step 1 Get raw email headers — Gmail: ⋮ → Show original | Outlook: File → Properties
Step 2 Paste into DomainPreflight Email header analyzer
Step 3 Find the s= tag in DKIM-Signature — that’s your selector
Step 4 Check that selector._domainkey.yourdomain.com exists in DNS
Step 5 If key mismatch → regenerate and republish the DKIM record
Step 6 If body alteration → check if a mailing list or forwarder modified the message

Open the Email tool to parse headers

Open Email tool → · DNS Preflight

Also read: DKIM signature failed fix · DKIM selectors · Key rotation · DKIM

FAQ

What does DKIM signature verification failed mean?

The receiver checked your DKIM signature against DNS and it didn’t verify — or no key was found at the selector.

Can forwarded emails fail DKIM?

Yes — forwarding often rewrites headers or body. That’s expected; not always your DNS.

How do I find which DKIM selector was used?

Read the DKIM-Signature header — the s= tag is the selector name.

My DKIM TXT exists but verification still fails — why?

Truncated or split TXT is a common culprit. The full public key must be published correctly.

Does DKIM failure always bounce email?

No — DMARC can still pass on SPF alignment. DKIM fail alone often means spam folder, not always hard bounce.

← All error fixes

Open DNS Preflight and re-check your zone →