Follow

Troubleshooting DKIM

The success of DomainKeys Identified Mail (DKIM) authentication verification depends on both the sender and the mailbox provider working together to properly configure and implement DKIM signing and verification.

On the sender side, there are two areas of focus to determine the root cause of a DKIM error: the DKIM selector record within DNS and the DKIM signing server.

DKIM verification errors may also be caused by the mailbox provider during the verification process. It’s important that you first validate that you have everything set up correctly before you determine if the error is due to the mailbox provider.  

Before you learn different ways to troubleshoot DKIM errors, here’s a tip: A common cause for DKIM verification errors is a missing or misconfigured private or public key. In order for DKIM to work correctly, both of these keys must be present. In some cases, simply regenerating the public and private key pair can resolve the issue and save time troubleshooting.

Steps to troubleshoot

If the tip above doesn’t work, here are some detailed steps to troubleshoot DKIM:

  1. Determine who has access to and controls signing DKIM for your email program and determine who has authority over DNS for your domain. Talk to your IT department, your email administrator or your Email Service Provider (ESP). Many ESPs provide DKIM authentication as a service and might be able to help you troubleshoot.
  2. Use Inbox Monitor to locate an email campaign and check the Issues column on the far right that indicates a DKIM issue for that campaign. Use this campaign to view the email header to see the DKIM error message from the mailbox provider.
  3. Select the subject line for that campaign to view the deliverability results for each mailbox provider.
  4. Select  the details button for a mailbox provider such as Gmail, Yahoo!, Outlook.com or AOL.
  5. Select the seed details if you have subscriber data from Return Path’s data network, select the Seed details link. If you don’t have subscriber data, go to the next step.
  6. Select the Msg Headers icon next to any seed in the inbox or junk folder. (You will not be able to view an email header for a missing seed.)
  7. Search for the authentication-results header to locate the DKIM verification result. The verification result consists of the dkim label (dkim), an equals sign (=), and a result value.
    1. Here’s an example: Authentication-Results: example.domain.com; spf=pass smtp.mailfrom=domain.com; dkim=pass header.i=@domain.com
  1. Write down the DKIM verification result value (dkim=result value).
  2. Repeat steps 4-8  for at least two other mailbox providers. If you used a Gmail header, look at Yahoo!, Outlook.com (Hotmail) or AOL.
    1. If there is a different error result for only one of the mailbox providers, it likely indicates an error by the mailbox provider. Send or check another email message within Inbox Monitor to see if the same error appears for the same mailbox provider. This will help you validate if the error is due to the mailbox provider.
    2. If there are the same error results across multiple mailbox providers, it likely indicates there is an error in the DKIM signing process or within DNS for your domain.
  3. Repeat steps 3-8 for several other campaigns in Inbox Monitor to help determine if the error is consistently coming from a specific mailbox provider. If you don’t see the same error at the mailbox provider, the error may be temporary. Check the next message you send to Inbox Monitor to see if the result was temporary.
  4. If you are seeing errors across all mailbox providers, continue to the next set of steps to troubleshoot the DKIM signing server and DNS configuration.

Troubleshooting the DKIM signing server and DNS configuration

  1. Check the configuration of your DKIM signature server to ensure all required tags are present and are configured correctly. Refer to DKIM signature header detail article for the required and correct tag=value pairs for the DKIM signature.
    1. Ensure there are no incorrect tag=value pairs. The wrong value for a specific tag can cause a verification error.
    2. Ensure there are no empty tag=values. If any of the values are empty, it may cause a verification error.
    3. Ensure there are no unrecognized tags. Tags that are not recognized by a mailbox provider during the verification process may cause a verification error.
    4. Look for invalid characters or extra spaces within the tag=value pair.
  2. Check the configuration of the DKIM DNS record for your domain to ensure all required tags are present and are configured correctly. Refer to DKIM DNS record overview article for the required and correct tag=value pairs for the DKIM signature.
    1. Ensure the p= tag is present and contains the public key
    2. Ensure there are no incorrect tag=value pairs. There are other tag=value pairs that may be used in DNS. The wrong value for a specific tag may cause a verification error.
    3. Ensure there are no empty tag=values. If any of the values are empty, it may cause a verification error.
    4. Ensure there are no unrecognized tags. Tags that are not recognized by a mailbox provider during the verification process may cause a rejection.
    5. Look for invalid characters or extra spaces within the tag=value pair.

If you believe the error is caused by the mailbox provider, contact them through their postmaster site and give them the information about the error so they can  investigate. They may have a verification server that is misconfigured or malfunctioning. Most errors caused by a mailbox provider are temporary and are resolved quickly. You should always check multiple campaigns and perform additional tests to determine if there is a possible mailbox provider error before you decide to contact them.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request