If you received the “DKIM signature is not valid” error, there are problems with your DKIM configuration and you need to fix them now! Invalid DKIM signature errors may occur due to:
- An incorrect DKIM DNS record entry
- Delays in DNS propagation
- Errors found during DKIM signature evaluation
- Potential alterations made to email messages or other reasons.
This blog will focus on some common reasons for the “DKIM signature is not valid” error and some recommendations to get you back on track!
About DKIM Signatures
DKIM or Domain Keys Identified Mail is an email authentication protocol. DKIM helps maintain the legitimacy of email messages by ensuring no changes are made during transfer. This prevents threat actors and man-in-the-middle attackers from altering email content.
A DKIM signature is a header added to email messages so that the recipient’s mail server can authenticate the emails by checking the sender’s DKIM key. This process is based on cryptography-based online security.
Some common tags in a DKIM signature header are as follows:
- v (Version): Specifies the DKIM version being used. For example, “v=DKIM1” indicates DKIM version 1.
- a (Algorithm): Indicates the cryptographic algorithm used to generate the signature. Common algorithms include rsa-sha256 and rsa-sha1. For example, “a=rsa-sha256”.
- d (Domain): Specifies the domain that owns the DKIM key used to generate the signature. For example, “d=example.com”.
- s (Selector): Indicates the specific DKIM key selector used to locate the DKIM public key in the DNS record. For example, “s=dkim2024”.
- h (Signed Headers): Lists the headers that were included in the DKIM signature computation. This ensures that any changes to these headers will cause the signature verification to fail. For example, “h=From:To:Subject:Date”.
- b (Signature): Contains the actual cryptographic signature generated for the complete email message. For example, “b=AbCdEfGhIjKlMnOp…”.
The presence of an erroneous DKIM record or missing DKIM header fields can result in the DKIM signature is not valid error.
When Can DKIM Fail with “Your DKIM Signature is Not Valid’’ Error?
You will see the ‘Your DKIM signature is not valid’ message when DKIM authentication check fails. Here are the common reasons for this failure:
- DKIM signature domain and sender domain don’t align.
- DKIM public key record published in DNS isn’t right.
- DKIM public key record published in DNS isn’t published at all.
- The server fails to reach the sender’s domain DNS zone for lookup. This is a common situation for poor hosting providers.
- The DKIM key’s length is insufficient as 1024, and 2048-bit long keys are supported. When your webmail hosting provider signs emails with smaller DKIM key length, an invalid DKIM signature error occurs.
- Some modifications were made to the message during auto-forward.
All the cases, except the last one, are technical issues that can be resolved by an expert. However, it’s not realistic to avoid the last one as you can’t control the recipients to stop appending compliance footers. So, what can happen when these auto-forwarded messages fail both SPF and DKIM and you’ve set the DMARC policy to ‘reject’?
Earlier it was quite challenging for recipient servers to manage such unauthenticated but legitimate emails. But these days, all the major email service providers or ESPs use Authenticated Received Chain or ARC protocol.
This protocol lets mail servers identify the mail server which managed it previously. This lets them know the authentication assessment steps.
How to Fix the ‘DKIM Signature is Not Valid” Error?
Despite aligning DKIM records, you can see an invalid DKIM signature error. Let’s see what the possible causes for “DKIM signature is not valid” are and how to fix them.
1. Troubleshoot Incorrect DKIM DNS Entries
After you created the DKIM TXT record and added it to the DNS configuration file, if you come across the “DKIM signature is not valid” error, this can be resolved by following these steps:
Steps to Find Errors in Your DKIM Record
- Sign up on PowerDMARC and navigate to the DKIM lookup tool in Power Toolbox.
- Enter your domain name and selector (or leave blank for our platform to auto-detect your selector). Click on the Lookup button.
- Our tool will analyze your DKIM DNS entry and highlight errors in your record syntax.
Fixing the Errors in Your DNS
- Login to cPanel or any DNS management console that you use.
- Click Advance DNS Zone Editor option under Domains.
- Select the domain from the list.
- Go to Edit DNS Records.
- Enter the correct value for the DKIM record by editing the current value.
- Click Save.
2. Wait Out DNS Propagation Delays
You can see errors despite changing the settings in the DNS configuration file. This typically occurs because it takes up to 24 to 48 hours for DNS propagation after you make changes in DNS settings. This varies depending on the TTL value mentioned in the DNS record.
In such scenarios, it’s suggested to wait for 3 to 4 days so that the DNS propagates fully. Meanwhile, you can check the DNS propagation status of the domain using DNS propagation tools or analyzers.
Why Do You See “DKIM-Signature Body Hash Not Verified”?
If you see a DKIM signature’s status as ‘DKIM-signature body hash not verified’ it simply means the calculated hash of the email isn’t in agreement with the body hash value added in the “bh=” tag.
Many business email servers change the inline text to the bottom of incoming emails before the components are broken down. This leads to an invalid body hash, triggering the DKIM-signature body hash not verified error. This eventually causes a failed DKIM and subsequently a failed DMARC check.
In some situations, sources may fail DKIM and DMARC checks because a hacker has tampered with your email’s content. This can also lead to the DKIM-signature body hash not verified error.
Some possible reasons why you see DKIM= neutral (body hash did not verify) are:
- A forwarder, a smart host, or another filtering agent amended email content.
- The signer miscalculated the signature value.
- A malicious actor spoofed the email and signed it without having the correct private key.
- The public key specified in the DKIM-Signature header isn’t correct.
- The public key published by the sender in their DNS isn’t correct.
These are some common reasons that can lead to the DKIM-signature body hash not verified error.
How Can You Investigate the Source?
When you come across the DKIM-signature body hash not verified error, it may be useful to investigate your email source.
- Check if the source belongs to an authorized list of sending sources for your domain.
- Search for the source on the internet.
- Check if it appears on RBL blacklist websites.
- Examine the DMARC forensic reports to see the types of emails sent by the source.
- Search for the documents to setup DMARC correctly if the source is valid.
- Contact the source.
Does DKIM Filter Email?
DKIM doesn’t filter email but the details shared by it help filters used by the receiver’s domain. So, if an email comes from a trusted domain and passes DKIM checks, its spam score may be reduced. If it fails the DKIM check, it’s marked as spam or can be quarantined or have a spam tag added to the subject line.
I’ve Fixed the “DKIM Signature is Not Valid” Error, What Next?
The next steps you can follow to strengthen your DKIM compliance are:
- Subscribe to a DKIM analyzer to monitor your DKIM authentication results
- Enable SPF and DMARC for additional security and accurate evaluations
- Rotate your DKIM keys periodically enhanced protection
I Still Can’t Fix the Error
If the DKIM signature not valid error still persists, get in touch with your email service provider for guidance, or contact us for expert advice on everything email authentication!
- Introducing DKIM2: The Future of Email Security - November 20, 2024
- BreakSPF Attacks: Outsmart the Hackers and Protect Your Email - November 13, 2024
- PowerDMARC Integrates with ConnectWise - October 31, 2024