DKIM failure for your domain’s messages might be a result of identifier alignment failure for the DKIM protocol or problems in your record setup. Today we are going to dive into how the DKIM specification authenticates your domains, why DKIM might be failing for your messages, and how to fix DKIM easily with a step-by-step guide.
What Does DKIM Failure Mean?
If you have DKIM activated for your outbound emails, receiving servers verify the authenticity of the email by matching your DKIM private key to the public key published on your DNS. If it is a match, DKIM passes for the message, or else DKIM fails.
DKIM failure refers to the failed status of your DKIM authentication check, due to a mismatch in the domains specified in the DKIM signature header and From header and inconsistencies among the key pair values.
Common Reasons for DKIM Failure
1. Error in DKIM record syntax
If you don’t use a reliable DKIM record generator tool to generate your record by trying to manually set it up for your domain, you may not implement it properly. Syntactical errors in your DNS records can lead to authentication failure.
2. DKIM Check for alignment failure
If you have DMARC set up for your domain in addition to DKIM, during DKIM check, the domain value in the d= field on the DKIM signature in the email header has to align with the domain found in the From address. It can either be a strict alignment, wherein the two domains have to be an exact match or a relaxed alignment that allows an organizational match to pass the check.
A DKIM failure can occur if the DKIM signature header domain doesn’t match the domain found in the From header, which might be a typical case of domain spoofing or impersonation attack.
3. You have not set up DKIM for your third-party email vendors
If you use several third-party email vendors to send emails on behalf of your organization, you need to get in touch with them for instructions on how to activate DKIM for your outbound emails. If you are using your own custom domains or subdomains registered on this third-party service to send emails to your customers, be sure to request your vendor to handle DKIM for you.
Ideally, if your third-party vendor is helping you outsource your emails, they would set your domain up by publishing a DKIM record on their DNS using a DKIM selector that is unique to you, without you having to intrude.
OR,
You can generate a DKIM key pair and hand over the private key to your email vendor while publishing the public key on your own DNS.
Misconfigurations in the same can lead to DKIM failure, so you must communicate openly with your service provider regarding your DKIM setup.
Note: Some third-party exchange servers induce formatted footers in the message body. If these servers are intermediary servers in an email forwarding process, the conjoined footer can be a contributing factor to DKIM failure.
4. Problems in server communication
In certain situations, the email might be sent from a server that has DKIM disabled on it. In such cases, DKIM will fail for that email. It is important to ensure that communicating parties have DKIM properly activated.
5. Modifications in message body by Mail Transfer Agents (MTAs)
Unlike SPF, DKIM doesn’t verify the sender’s IP address or return-path while verifying the authenticity of messages. Instead, it ensures that the message content has remained untampered in transit. Sometimes participating MTAs, and email forwarding agents may alter the message body during line wrapping or content formatting that may lead to DKIM fail.
Formatting an email’s content is usually an automated process to ensure the message is easily comprehensible for each recipient.
6. DNS outage / DNS downtime
This is a common reason for DKIM failures. DNS outage may occur due to a variety of reasons including denial of service attacks. Routine maintenance of your name server may also be the reason behind a DNS downtime. During this (usually short) period of time, recipient servers cannot perform DNS queries.
As we know that DKIM exists in your DNS as a TXT/CNAME record, the client-server performs a lookup to query the sender’s DNS for the public key during authentication. During an outage, this is deemed not possible and hence may break DKIM.
7. Using OpenDKIM
An open-source DKIM implementation known as OpenDKIM is commonly used by mailbox providers like Gmail, Outlook, Yahoo, etc. OpenDKIM connects with the server through port 8891 during verification. Sometimes, errors can be caused by enabling wrong permissions due to which your server is unable to bind to your socket.
Check your directory to make sure you have enabled permissions correctly, or if at all you have a directory set up for your socket.
Different DKIM Authentication Failed Results
1. Authentication Result: dkim=neutral (bad format)
Auto-generated line breaks in your DKIM record can prompt the error message: dkim=neutral (bad format). When your email validator links together the broken-up resource records during verification, it produces a wrong value. A possible solution is to use 1024 bit DKIM keys (as opposed to 2048 bits) to fit within the 255-character DNS limit.
2. Authentication Result: dkim=fail (bad signature)
A DKIM authentication failed result can be possible because of content modifications within the message body by a third party, due to which the DKIM signature header failed to match the email’s body.
3. Authentication Result: dkim=fail (DKIM-signature body hash not verified)
The “DKIM-signature body hash not verified” or “DKIM signature body hash did not verify” are two alternative results returned by the receiving server for the same error that implies the DKIM body hash value (bh= tag) has somehow been altered in transit. Even if your DKIM key pair is set up correctly and you have a valid public key published on your DNS, minor modifications in the hash value, such as the insertion of spaces or special characters can make your body hash verification fail DKIM.
The bh= tag value may be altered due to the following reasons:
- Intermediary servers responsible for changing mail content
- Addition of email footers by your email service provider
4. Authentication Result: dkim=fail (no key for signature)
This error may be the result of an invalid or missing public key in your DNS. It is imperative that you make sure both your public and private keys for DKIM match, and are set up correctly. Are you sure your DKIM DNS record is published and valid? Check it now using our free DKIM record checker.
Avoid DKIM Failures with PowerDMARC!
How to stop a DKIM failure for your messages
It is not possible to address all the issues mentioned above simply because they cannot all be bypassed. However, we have assembled some useful tips you can deploy to minimize your chances of DKIM fail.
How do I fix DKIM failure?
- Generate your DKIM record using a trusted and notable generator tool for accurate results, and always copy-paste your values to avoid errors
- Check your DKIM record for gaps and errors
- Implement SPF and DMARC for an additional layer of security against domain spoofing and impersonation. DMARC needs either SPF or DKIM to pass for messages to pass validation, hence in case your DKIM fails and SPF passes, your messages will still pass DMARC and get delivered.
- Enable DMARC reporting for your domains
- Monitor your DKIM failure reports and authentication results on a dedicated DMARC reader dashboard
- Have a detailed discussion with your email vendors regarding DKIM setup, whether they support the protocol and how they handle it
- Get expert advice on your email authentication setups from our team of DMARC specialists by signing up for a free DMARC trial with our analyzer
Note that we have covered some common DKIM failure prompts and their probable causes while providing a possible solution around them. However, errors might pop up due to various underlying reasons that are specific to your domain and servers, that have not been covered in this article.
You must build up your knowledge around authentication protocols, sufficiently, before you implement them at your organization or enforce your policies. DKIM fail, or failure in SPF, or DMARC validation can impact your email’s deliverability.
Email auto-forwarding and DKIM Vs SPF
In auto-forwarded emails, email headers get modified because of the involvement of one or more intermediary servers. The forwarded message takes up the header information of this third-party intermediary server which may or may not be included as an authorized sending source in the SPF record of the original sender.
If it is not included, SPF will fail for that message.
Since DKIM signatures are included in the email body, forwarding has no effect on DKIM. This is why setting up DKIM on top of your existing SPF policy can help evade unwanted authentication DKIM failures for your forwarded messages.
Fixing the issue without DKIM
Setting up DKIM along with SPF is a recommended practice, however, it is not mandatory.
- If you don’t want to set up DKIM for your domains, yet you want to resolve SPF failure for your forwarded emails, you can use a method called email redirection. Redirecting your emails preserve the original headers of your messages.
- Else, you can also make sure that you include the IP addresses of all intermediary servers participating in the forwarding process in your domain’s SPF record.
What is DKIM and why do you need to set it up?
DKIM is an email authentication system that helps you verify the legitimacy of your sending sources along with ensuring that the content of your email has stayed unaltered throughout the delivery process.
If we are to speak about why we need a DKIM setup for our emails, we need to talk about how email can become a vector for carrying out fraudulent activities. Impersonation attacks ranging from phishing to domain spoofing, as well as malware infections, can be carried out through fake emails. This is why enterprises need to set up a filtering system to authenticate email senders. By doing so they are not only protecting their own reputation but also preventing millions of users from falling prey to email scams. DKIM failure, as you’ll read below, is when your private key doesn’t match the public key.
DKIM is one such email verification system that uses a hash value (private key) to sign email information that is matched against the public key lodged in the sender’s DNS. Emails digitally signed with a DKIM signature bear a high level of protection against any alteration by a malicious third party.
DKIM Failure FAQs
1. What senders are failing DKIM?
Failure is typical for senders who:
- configure the protocol improperly
- use 2048-bit keys for non-supported email providers
- email contents were altered by a third-party intermediary during the message transfer
2. Can DMARC pass if DKIM doesn’t?
Yes, provided that SPF passes for the email. If you have configured DMARC and aligned emails against both SPF and DKIM mechanisms, you need to pass only one of the checks (either SPF or DKIM) to pass DMARC. However, if your DMARC alignment only relies on DKIM authentication, DMARC will fail and so will DKIM.
- Email Phishing and DMARC Statistics - November 22, 2024
- DMARC Compliance and Requirements for 2025 - November 21, 2024
- What Is DMARC Policy? None, Quarantine And Reject - September 15, 2024