DKIM Permerror or DKIM permanent error can be a result of a failed DKIM verification due to missing header fields. Note that once the DKIM Permerror result is returned, unless the sender undergoes troubleshooting, future verification attempts on the same message will also fail. DKIM issues can lead to failures in email delivery if your DMARC settings are at p=reject. 

What is DKIM Permerror? 

DKIM Permerror is a common error that can occur when you’re setting up DKIM (Domain Keys Identified Mail) in your email program. It may look something like this: 

DKIM is a security feature that allows you to digitally sign messages with a private key, and then verify the authenticity of those messages by using your public key. It’s often used with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to make sure that only mail from authorized senders is delivered to recipients’ inboxes. 

The reason you’re receiving this error is that some steps are missing from your setup process. Most often, this happens because you haven’t properly configured your DNS settings or have missed an important step in the configuration process. You may have also entered an erroneous DKIM string to contribute to this result. 

If you receive this error while setting up DKIM, don’t worry! We’ve got all of our best tips and tricks right here to help you get past it fast.

Possible Reasons for DKIM Permerror

  • DKIM Signature Missing Header Fields

A DKIM signature header is a way to verify the authenticity of an email message. It’s a security measure that ensures emails are coming from the correct source. A DKIM signature header is a digital signature created by the sender and added to a message. The receiver can then compare this digital signature with the one they generated themselves to ensure that the email was sent by the correct person or organization.

Mandatory fields:

v= The version of DKIM in use (value=1)

d= the sender’s domain name 

a= This field denotes the key algorithm used to generate the signature with values: rsa-sha256 (for enhanced protection) or rsa-sha1 (for unsupported servers)

s= DKIM selector (an alphanumeric value that may range between 1028 and 2048 bits) to locate the public key in the sender’s DNS.

h= the list of headers that are used in the signing algorithm to compute a hash data of message headers that would be defined in the b=tag.

b= the computed hash data of the message headers that are encoded in a special MIME content transfer encoding called Base64. 

bh= the computed hash value of the message body. This field contains an arbitrary string of alphanumeric variables that are generated using the signing algorithm.

If any of these mandatory fields are missing in the DKIM signing header, it will lead to DKIM Permerror. 

  • Erroneous DKIM string

Making sure that your DKIM DNS record is error-free is important in ensuring that you don’t end up with DKIM permanent error or DKIM Permerror result. If your DNS settings are controlled by a remote nameserver, you must get in touch with your DNS provider to access the DNS on the remote server and relay changes to configure the correct syntax. 

  • Using Spam Appliances

Your spam filters can override DKIM authentication settings on the receiver’s side. This is because spam filters are usually the last line of defense. When your receiver checks the server for the signature it is essentially checking the last server through which the message was relayed i.e. your spam appliance. The absence of DKIM keys there will lead to DKIM Permerror. 

Troubleshooting DKIM Check: Permerror Result

  1. Create a DKIM record using a DKIM record generator tool – manual implementations are prone to human error. Using an online tool can help you get accurate results. 
  2. Check your configured DKIM record using a DKIM lookup tool – To stay on top of DKIM Permerror, periodically check your record syntax to make sure it is valid and functional. 
  3. If you are coming across this error when using Microsoft O365 or any other third party to send emails and also have your spam appliance in place, it may be a result of your spam filters overriding your Office 365 DKIM policy. Make sure DKIM is enabled on both your spam appliance (which is your last line of defense) as well your email vendor’s DNS to resolve DKIM Permerror.