Why is DKIM failing?

There are several reasons why DKIM might fail for your emails. This list is non-exhaustive, but contains some common elements to start examining.

Missing DKIM Signature

If the email is not signed with a DKIM signature, it will fail the DKIM check. This can happen if the sending server or application does not support DKIM signing.

Incorrect DKIM Configuration

If the DKIM record in your domain's DNS is misconfigured (e.g., incorrect public key, wrong selector) or is missing entirely, the receiving server will not be able to verify the DKIM signature, leading to a failure.

Email Modification

DKIM checks the integrity of the email content. If the email is modified in transit (e.g., by a forwarding service or a mailing list), the DKIM signature may become invalid, resulting in a failure.

Different Signing Domains

If the email is signed with a different domain than the one in the "From" address, DKIM may fail. For example, if a third-party service sends an email on behalf of your domain but uses its own DKIM signature, it may not match your domain's DKIM record.

Email Forwarding

Some email providers or email forwarding services may strip DKIM signatures or alter the email content, causing DKIM to fail while SPF may still pass if the forwarding server is authorized in the SPF record.