DKIM fix

DKIM Signature Verification Failed — Fix Guide

You see DKIM fail when DNS has the wrong key, something rewrote the body, or the TXT is missing or chopped — start there.

Key causes

Key mismatch: old key in DNS, new key signing (or vice versa) — see key rotation
Message altered: mailing lists, forwarders, or gateways change body or headers
Wrong selector: s= in DKIM-Signature does not match DNS — see selectors
Truncated TXT: DNS provider limits or split-string errors

How to diagnose

Paste email headers into the DomainPreflight Email deliverability tool and cross-check s._domainkey.d for the signing domain with DNS Preflight on DKIM DNS.

Steps

Step 1 Export full headers from a failing message

Step 2 Read DKIM-Signature for s= (selector) and d= (signing domain)

Step 3 Look up s._domainkey.d in DNS Preflight

Step 4 Confirm the published key matches what your provider uses for signing

Step 5 Paste headers into Email for structured analysis

Analyze headers & DNS

Open Email tool → · DNS Preflight

Related glossary: DKIM · DMARC

FAQ

What are the most common causes?

Key mismatch, body modification (lists/forwarders), wrong selector, truncated TXT.

Why do mailing lists break DKIM?

They often change content so the body hash no longer matches.

Rotation mistakes?

Removing DNS before switching signing, or publishing the wrong selector.

Truncated records?

Very long keys need correct multi-string TXT formatting.

Forwarding?

Intermediate hops may break the original signature; DMARC may still use other auth if present.

← All DKIM fix guides

Open DNS Preflight and re-check your zone →