Fixing DKIM Signatures That Fail Verification
Fix DKIM signature failures by checking selectors, DNS public keys, provider signing, message modification and DMARC alignment.
Introduction
A DKIM signature failure means the receiving mail server could not verify the cryptographic signature on your message. DKIM adds a digital signature to outgoing email so receivers can confirm the message was not altered in transit and that it was signed by a holder of the private key matching your published public key.
DKIM failures are usually caused by a missing or incorrect DNS record, the wrong selector, signing disabled on the mail server, a provider key rotation not reflected in DNS, or message modification by forwarding services. Fixing DKIM requires matching the selector, DNS record and signing configuration to your actual sending provider.
Quick answer
DKIM signature fail means the receiver could not verify the message signature against the public key in DNS. Find the selector in message headers, confirm the TXT or CNAME record exists at selector._domainkey.yourdomain.com, ensure DKIM signing is enabled in your mail provider, republish DNS after key rotation, and avoid forwarding that modifies signed content.
What DKIM signature fail means
DKIM uses a key pair. Your mail provider signs each message with a private key. The matching public key is published in DNS at a hostname built from the selector and your domain: selector._domainkey.example.com. Receivers fetch that record and verify the signature in the message headers.
When verification fails, one of these is usually wrong:
- the selector in the message does not match any published DNS record
- the TXT or CNAME record is missing or published on the wrong hostname
- the public key in DNS does not match the private key signing mail
- DKIM signing is disabled in the mail provider or server settings
- the provider rotated keys but DNS still shows the old public key
- the message body or signed headers were modified after signing
- email forwarding altered content and broke the signature
- a CNAME points to the wrong target or a TXT record is truncated
- multiple providers sign with different selectors but only one is in DNS
TXT and CNAME records both work for DKIM. Google Workspace and many hosts use TXT records with the public key inline. Services like SendGrid, Mailgun and Amazon SES often use CNAME records that point to the provider’s hosted key. Always follow your provider’s exact format.
TXT record:
default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
CNAME record:
s1._domainkey.example.com CNAME s1.domainkey.u123456.wl.sendgrid.net
The selector appears in the DKIM-Signature header (s= tag). Use that exact value when running DKIM Checker.
If your provider rotated DKIM keys, update DNS before removing the old key. Running two selectors briefly during rotation prevents delivery gaps.
Why this matters
DKIM failure removes an important authentication signal. Receiving servers may trust your mail less, route it to spam or fail DMARC when DKIM does not pass and align. For domains with DMARC enforcement, DKIM fail can cause legitimate messages to be quarantined or rejected.
DKIM also helps receivers detect tampering. A valid signature tells them the message content and key signed headers were not changed after your provider sent it.
How to check
Compare message headers, your mail provider settings and live DNS records.
- Send a test email from the affected service to a mailbox you control.
- Open message headers and find the DKIM-Signature header.
- Note the selector (s=), signing domain (d=) and result (dkim=pass or fail).
- Run DKIM Checker with the correct selector and domain.
- Confirm a TXT or CNAME record exists at selector._domainkey.yourdomain.com.
- Compare the public key in DNS with the value shown in your provider admin panel.
- Verify DKIM signing is enabled in your email provider or MTA settings.
- Check whether the message was forwarded — forwarding often breaks DKIM.
- Review recent provider key rotations or DNS migrations.
- After DNS changes, wait for propagation and send another test.
Check your DKIM record
Use DKIM Checker to verify whether your selector publishes a valid public key and whether DNS matches your mail provider.
Common problems
DKIM selector not found in DNS
HighNo TXT or CNAME record exists for the selector shown in the message headers.
Next step: Publish the selector record exactly as your mail provider specifies.
Wrong selector checked
MediumDNS has a key for selector s1 but the message was signed with selector s2.
Next step: Read the s= value from DKIM-Signature and check DNS for that exact selector.
DKIM signing disabled
HighDNS is correct but the mail server is not signing outbound messages.
Next step: Enable DKIM signing in your provider admin panel or MTA configuration.
Provider key rotated without DNS update
HighThe provider generated a new key pair but DNS still publishes the old public key.
Next step: Copy the new public key or CNAME from the provider and update DNS.
Truncated or malformed TXT record
HighThe public key was split incorrectly across multiple strings or cut off by the DNS panel.
Next step: Re-paste the full key from your provider. Some panels require splitting long values into quoted segments.
CNAME points to wrong target
HighThe CNAME target does not match the account or region in your email provider.
Next step: Re-copy the CNAME target from your provider dashboard and replace the DNS entry.
Message modified after signing
MediumA mailing list, forwarder or gateway changed headers or body content after DKIM signing.
Next step: Send directly from the provider without forwarding, or configure the forwarder to preserve DKIM.
WordPress plugin sends unsigned mail
MediumThe website uses PHP mail or an SMTP server that does not sign with your domain’s DKIM key.
Next step: Route website mail through a provider that supports DKIM signing for your domain.
Multiple selectors, only one published
MediumDifferent services sign with different selectors but DNS only has one key.
Next step: Publish all active selectors or consolidate sending through one authenticated provider.
DKIM passes but DMARC fails alignment
MediumThe signature is valid but the signing domain does not align with the From domain.
Next step: Configure the provider to sign with your domain and review DMARC alignment settings.
How to fix
-
Step 1: Read the DKIM-Signature header
Send a test message and note the selector (s=), signing domain (d=) and whether dkim=pass or fail.
-
Step 2: Run DKIM Checker
Enter your domain and the selector from the header to see whether DNS publishes a valid public key.
-
Step 3: Enable signing in your provider
Turn on DKIM signing in Google Workspace, Microsoft 365, SendGrid, Mailgun or your hosting mail panel.
-
Step 4: Publish the DNS record
Add the TXT or CNAME record at selector._domainkey.yourdomain.com using the exact value from your provider.
-
Step 5: Handle key rotation
When providers rotate keys, add the new record before removing the old one to avoid verification gaps.
-
Step 6: Fix website and plugin mail
Configure WordPress SMTP plugins to send through a provider that signs DKIM for your domain.
-
Step 7: Test after propagation
Wait for DNS to update, send another test and confirm dkim=pass in received message headers.
-
Step 8: Confirm DMARC alignment
Verify the signing domain aligns with your From domain so DMARC can pass on the DKIM axis.
Examples
Problem:
dkim=fail (signature verification failed)
Headers show:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google; ...
DNS check:
dig google._domainkey.example.com TXT → no result
Cause:
DKIM signing is enabled in Google Workspace
but the google selector TXT record was never published.
Fix:
Copy the TXT record from Google Admin → Apps → Google Workspace → Gmail → Authenticate email.
Publish at google._domainkey.example.com.
Verify:
Run DKIM Checker with selector "google".
Send test → headers show dkim=pass.
Examples are illustrative. Selectors, key values and hostnames vary by provider. Always copy values from your own mail provider dashboard.
Frequently asked questions
What does DKIM signature verification failed mean?
The receiving server could not verify the DKIM signature on the message. The public key in DNS may be missing, wrong or the message body may have been altered after signing.
What is a DKIM selector?
The selector is a label that identifies which DKIM key pair signed the message. DNS publishes the public key at selector._domainkey.yourdomain.com.
Should DKIM be a TXT or CNAME record?
Both work. Some providers publish a CNAME pointing to their hosted key; others give you a TXT record with the public key directly. Use the format your provider specifies.
Why does DKIM fail after email forwarding?
Forwarding can modify headers or break the signature. ARC may help on some paths, but forwarding often causes DKIM fail on the final delivery.
Can DKIM pass but DMARC still fail?
Yes. DKIM must also align with the From domain under DMARC. A valid signature on a different domain does not satisfy DMARC alignment.
Do I need to enable DKIM signing in my provider?
Yes. Publishing a DNS record alone is not enough — your mail server or provider must actively sign outgoing messages with the matching private key.
How do I confirm DKIM is fixed?
Send a test email, open headers and look for dkim=pass. Also run DKIM Checker with the correct selector to confirm DNS is published.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Troubleshooting guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!