DKIM Errors and Fixes: Selector Not Found, Hash Mismatch, Alignment

June 20, 2026 • InboxGreenEmail Team

DKIM issues can silently kill replies.

If opens dropped, replies disappeared, or bounces increased, treat it as an incident. Run the scan and get a fix path.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

DKIM failures often look identical from the outside: your email arrives, but headers show dkim=neutral or dkim=fail. The cause could be a missing DNS record, a misconfigured ESP, a forwarding issue, or a key that is too short. Each has a different fix.

Start here: run the DKIM Checker to see what is in your DNS, then open a failing message in Gmail (More → Show original) to find the s= selector and the actual result.

INBOXGREEN RESEARCH · JUNE 2026 · 186 DOMAINS SCANNED

14%

of domains had no detectable DKIM record on any tested selector. DKIM had the widest gap of the three protocols. A missing DKIM record means DMARC cannot align via DKIM, leaving SPF alignment as the only path to DMARC pass. Full report.

ErrorWhat you see in headersWhere to start
No DKIM signatureNo DKIM-Signature header at allEnable DKIM signing in your ESP
Selector not founddkim=neutral (no key)DKIM Checker with your selector
Body hash mismatchdkim=fail (bad signature)Usually forwarding -- nothing to fix
Key too short (1024-bit)dkim=pass but weak trustDKIM Checker shows key length
DKIM alignment failureDMARC fail despite dkim=passUse custom domain auth at your ESP
DKIM stopped workingSuddenly dkim=fail or neutralCheck DNS migration and key rotation

1. No DKIM signature found in the message headers

If the headers show no DKIM-Signature field at all, the sending server never signed the message. SPF can still pass, but DMARC alignment via DKIM is impossible. This is a setup problem, not a DNS problem.

Common causes:

  • You added the DKIM DNS record but never clicked "Enable" or "Activate" in your ESP's settings
  • You are sending from a domain that has no DKIM configuration at your ESP
  • The sending account is using the ESP's default shared domain instead of your authenticated custom domain

Fix: Go to your ESP's domain authentication settings and confirm that:

  • Your domain is added as a sending domain
  • DKIM is enabled (not just configured)
  • You are sending from that domain, not from an alias or subdomain that is not authenticated

See the provider-specific guides for step-by-step instructions at Google Workspace, SendGrid, Mailgun, Brevo, and others.

2. DKIM selector does not exist in DNS

Every DKIM signature includes a s= tag that names the selector. The verifying server constructs a DNS lookup from that: {selector}._domainkey.{domain}. If that TXT record is not in your DNS, verification fails.

The error in headers looks like: dkim=neutral (no key) or dkim=fail (no key for selector).

How to diagnose it:

  1. Open the raw headers of a failing message and find the DKIM-Signature field
  2. Note the s= value (the selector name)
  3. Look it up: use the DKIM Checker with your domain and that selector

MISSING — record not in DNS

$ dig TXT google._domainkey.yourdomain.com +short
(no output)

DNS has no record at this hostname → dkim=neutral (no key)

CORRECT — record published

$ dig TXT google._domainkey.yourdomain.com +short
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w..."

Public key found → dkim=pass

Common causes of a missing selector:

  • Published the DNS record under the wrong hostname (e.g., double-pasted the domain: google._domainkey.yourdomain.com._domainkey.yourdomain.com)
  • The CNAME or TXT record was deleted during a DNS migration
  • The ESP rotated its DKIM keys and the new selector was not published
  • The record has not propagated yet (wait 30 to 60 minutes after adding it)

3. DKIM body hash mismatch

DKIM signs the message body and selected headers. If anything modifies the message in transit, the signature will not verify. The header shows dkim=fail (bad signature).

The most common cause is email forwarding. When a mailbox at [email protected] forwards to a personal Gmail address, the forwarding server sometimes modifies the message (adds a footer, re-encodes characters, or rewrites headers). DKIM fails because the body hash no longer matches.

This is expected behavior and not a configuration error on your part. DMARC receivers handle this with ARC (Authenticated Received Chain), which some forwarders implement to preserve the original authentication result.

What to do:

  • If this is affecting forwarded copies of your email, there is nothing to fix on your end. DKIM is working correctly for direct delivery.
  • If this is happening on direct delivery (not forwarded), check that your ESP is not modifying message content after signing. Some tracking or click-wrapping features alter the body before delivery.
  • Ensure DKIM alignment passes for direct delivery. DMARC passes as long as direct recipients see a valid DKIM signature.

4. DKIM key too short (1024-bit)

Older DKIM configurations used 1024-bit RSA keys. Gmail and other major receivers now flag 1024-bit keys as insufficient and may downgrade their trust evaluation. The header result is still dkim=pass, but reputation scoring treats it differently.

Some receivers require 2048-bit minimum. RFC 8301 (2018) formally deprecated 1024-bit keys.

How to check your key length:

Use the DKIM Checker. The result shows the key length. If it says 1024, regenerate.

WEAK — 1024-bit key

"v=DKIM1; k=rsa;
 p=MIGfMA0GCSqGSIb3DQ..."
key length: 1024 bits

Deprecated by RFC 8301. Gmail flags as insufficient. Regenerate at 2048-bit.

STRONG — 2048-bit key

"v=DKIM1; k=rsa;
 p=MIIBIjANBgkqhkiG9w0B..."
key length: 2048 bits

Modern standard. Use this when generating new keys at any ESP.

How to fix it:

  • In your ESP, generate a new 2048-bit DKIM key (most modern ESPs default to 2048 now)
  • Publish the new TXT or CNAME record in your DNS
  • Wait for propagation, then enable the new key in your ESP
  • Delete the old 1024-bit DNS record after confirming the new one is working

For Google Workspace: go to Admin Console → Gmail → Authenticate email, generate a new key, and republish. Google defaults to 2048-bit for newly generated keys.

5. DKIM passes but DMARC still fails (alignment)

DMARC checks whether the domain in the DKIM d= tag matches the domain in the From: header. If your ESP signs messages with their own domain (d=sendgrid.net) instead of yours (d=yourdomain.com), DKIM passes but DMARC alignment fails.

This is the most common DMARC alignment problem for senders using ESPs with shared infrastructure.

DKIM ALIGNMENT IN EMAIL HEADERS  ·  Gmail: More → Show original

DKIM PASS BUT DMARC FAIL (ESP's domain in d= tag)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=sendgrid.net; s=s1; ...
Authentication-Results: mx.google.com;
  dkim=pass header.i=@sendgrid.net;
  dmarc=fail (p=REJECT) header.from=yourdomain.com

DKIM PASS + DMARC PASS (your domain in d= tag)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=s1; ...
Authentication-Results: mx.google.com;
  dkim=pass header.i=@yourdomain.com;
  dmarc=pass (p=REJECT) header.from=yourdomain.com

Fix: Use your ESP's custom domain authentication feature:

  • SendGrid: Sender Authentication under Settings
  • Mailgun: Domain settings, add your domain
  • Brevo: Senders & IPs → Domains
  • Mailchimp: Domains section, verify your sending domain

Once configured correctly, the ESP signs with d=yourdomain.com and DMARC alignment passes. See the Email Authentication Guides for provider-specific steps.

6. DKIM worked, then stopped working

If DKIM was passing and then started failing without any changes on your end, check:

  • DNS migration: the DKIM TXT or CNAME record was not transferred when moving registrars or nameservers
  • ESP key rotation: some ESPs automatically rotate DKIM keys and require you to update the DNS record. Check your ESP's notification settings.
  • CNAME chain broken: for CNAME-based DKIM (SendGrid, Mailchimp), the CNAME must resolve correctly. If the ESP changed their infrastructure, the CNAME target may have changed.
  • TTL caching: if you recently made changes, old resolvers may still have the previous record cached. Check from multiple locations using the DKIM Checker.

Run the full deliverability scan to get a current read on all three protocols at once.

DKIM Tools

DKIM Checker

Look up any DKIM selector on any domain. Shows the key, key length, and whether the record is valid.

DKIM Selector Finder

Discover which DKIM selectors are active on a domain without needing the email headers.

DKIM Generator

Generate a 2048-bit DKIM key pair if your ESP requires you to manage your own keys.

Email Header Analyzer

Paste raw email headers to see DKIM, SPF, and DMARC results in one view.

Related Guides

SPF Errors and Fixes

PermError, multiple records, softfail vs hardfail, and alignment failures.

DMARC Errors and Fixes

Alignment failures, missing reports, policy progression, and syntax errors.

Provider Setup Guides

Step-by-step DKIM setup for Google Workspace, Microsoft 365, SendGrid, Mailgun, and more.

DKIM error confirmed. Ready to fix it?

The FixKit walks you through DKIM setup and repair with step-by-step instructions for every major ESP and DNS provider.

Get the FixKit Run the Free Check

Common Questions About DKIM

How do I check if DKIM is set up correctly?

Send a test email to a Gmail address, then open it and click More → Show original. Look for dkim=pass in the authentication results line. To check the DNS record directly, use the DKIM Checker -- you will need to know the selector your ESP uses (visible in the s= tag in the email headers).

What does "dkim=neutral (no key)" mean?

It means the message was signed with a selector that does not have a matching public key in DNS. The sending server signed the email, but the verifying server could not find the key to check against. The fix is to publish the correct TXT or CNAME record at selector._domainkey.yourdomain.com.

Why does DKIM fail after email forwarding?

DKIM signs the message body. If a forwarding server modifies the message (adds a footer, re-encodes content, or rewrites headers), the signature no longer matches and DKIM fails. This is expected behavior. DMARC receivers handle this scenario with ARC (Authenticated Received Chain). For direct delivery, your DKIM should still pass.

What key length should I use for DKIM?

Use 2048-bit RSA. RFC 8301 deprecated 1024-bit keys in 2018 and major receivers including Gmail now flag them. When generating a new key at your ESP, always select 2048-bit. Use the DKIM Checker to see the length of your current key.

Why does DKIM pass but DMARC still fail?

DMARC requires alignment: the domain in the DKIM d= tag must match the domain in the From: header. If your ESP signs with its own domain (for example, d=sendgrid.net) instead of yours, DKIM passes but DMARC alignment fails. Fix this by setting up custom domain authentication at your ESP so messages are signed with d=yourdomain.com.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.