Once you’re familiar with what is DKIM, you will be keen to know what to do when your DKIM signature is not valid. This can happen due to an incorrect entry in the DNS record, a DNS propagation delay, or other reasons. This blog will focus on these only. 

Why Your DKIM Signature is not valid

DKIM signature is a header added to email messages so that recipient’s mail server can authenticate the emails by checking the sender’s DKIM key. This process is based on cryptography-based online security. The presence of a erroneous DKIM record or missing DKIM header fields can result in the DKIM signature is not valid error. 

When does DKIM fail the check?

You will see the ‘Your DKIM signature is not valid’ message when DKIM authentication check fails. Here are the common reasons for this failure:

  • DKIM signature domain and sender domain don’t align.
  • DKIM public key record published in DNS isn’t right.
  • DKIM public key record published in DNS isn’t published at all.
  • The server fails to reach the sender’s domain DNS zone for lookup. This is a common situation for poor hosting providers.
  • The DKIM key’s length is insufficient as 1024, and 2048-bit long keys are supported. When your webmail hosting provider signs emails with smaller DKIM key length, an invalid DKIM signature error occurs.
  • Some modifications were made to the message during auto-forward. 

All the cases, except the last one, are technical issues that can be resolved by an expert. However, it’s not realistic to avoid the last one as you can’t control the recipients to stop appending compliance footers. So, what can possibly happen when these auto-forwarded messages fail both SPF and DKIM because you’ve set the DMARC policy to ‘reject’?

Earlier it was quite challenging for recipient servers to manage such unauthenticated but legitimate emails. But these days, all the major email service providers or ESPs use Authenticated Received Chain or ARC protocol.

This protocol lets mail servers identify the mail server which managed it previously. This lets them know the authentication assessment steps. 

General DKIM Signature is not valid Errors & Fixes

Despite aligning DKIM records, you can see an invalid DKIM signature error. Let’s see what the possible causes for “DKIM signature is not valid” are and how to fix them. 

1. Incorrect DNS Entry

After you created the DKIM TXT record and added it to the DNS configuration file, you can see the DKIM signature not valid error In cPanel. This can be resolved by following these steps:

  • Login to cPanel.
  • Click Advance DNS Zone Editor option under Domains.
  • Select the domain from the list.
  • Go to Edit DNS Records and check the TXT record.
  • Enter the correct value for the DKIM record.
  • Save the file. You can see the changes. 

2. DNS Propagation Delay

You can see errors despite changing the settings in the DNS configuration file. This typically occurs because it takes upto 24 to 48 hours for DNS propagation after you make changes in DNS settings. This varies depending on the TTL value mentioned in the DNS record.

In such scenarios, it’s suggested to wait for 3 to 4 days so that the DNS propagates fully. Meanwhile, you can check the DNS propagation status of the domain using DNS propagation tools or analyzers. 

Why Do You See DKIM=Neutral (DKIM Permfail “Body Hash Did Not Verify)?

If you see a DKIM signature’s status as ‘body hash not verified’ it simply means the calculated hash of the email isn’t in agreement with the body hash value added in the “bh=” tag. Many business email servers change inline text to the bottom of incoming emails before the components are broken down. This leads to invalid body hash which eventually causes a failed DMARC check.

In such situations, sources fail DMARC checks because a hacker has been sending malicious emails using your domain. Thus, you should thoroughly examine all sources seen in the failed section to identify them as valid or malicious. If a genuine source has landed in the failed section, set up and align SPF and DKIM properly. 

Some possible reasons why you see DKIM= neutral (body hash did not verify) are:

  • A forwarder, a smart-host, or another filtering agent ammended email content.
  • The signer miscalculated the signature value.
  • A malicious actor spoofed the email and signed it without having the correct private key.
  • The public key specified in the DKIM-Signature header isn’t correct.
  • The public key published by the sender in their DNS isn’t correct.

How Can You Investigate the Source?

  • Check if the source belongs to the partner of your company.
  • Search about the source on the internet.
  • Check if it appears on RBL blacklist websites.
  • Examine the DMARC forensic reports to see the types of emails sent by the source.
  • Search for the documents to setup DMARC correctly if the source is valid.
  • Contact the source.

Does DKIM Filter Email?

DKIM doesn’t filter email but the details shared by it helps filters used by the receiver’s domain. So, if an email comes from a trusted domain and passes DKIM checks, it’s spam score could have been reduced. If it fails the DKIM check, it’s marked as spam or can be quarantined or have a spam tag added to the subject line. 

So, domain owners can’t control what’s included in the DMARC failure report because that’s in users hand.

I’ve fixed the DKIM signature is not valid error, what next? 

The next steps you can follow to strengthen your DKIM compliance is: 

  1. Navigate a DKIM analyzer to monitor your DKIM authentication results
  2. Enable SPF and DMARC
  3. Rotate your DKIM keys periodically 

I still can’t fix the error

If the DKIM signature not valid error still persists, get in touch with your email service provider for guidance, or contact us for expert advice on everything email authentication!