DKIM glossary

What does dkim=fail mean and how do you fix it?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

dkim=fail is the receiver's Authentication-Results verdict that a message's DKIM signature did not verify. Common causes: the body was modified in transit (a broken body hash), the DNS public key is wrong or truncated, or the selector doesn't match a published key. DMARC can still pass on aligned SPF, so dkim=fail isn't always fatal.

dkim=fail at a glance
Tagdkim (Authentication-Results)
Valid valuespass · fail · none · neutral · temperror · permerror
DefaultReported by the receiver — not something you set. fail means the signature didn't verify.
Where it goesIn the Authentication-Results header the receiving server adds, e.g. dkim=fail.

How dkim=fail works

dkim=fail is the receiver's verdict, written into the Authentication-Results header, that a message's DKIM signature did not verify. It doesn't say why — that's the triage job — only that the signature the message carried didn't check out against the published key.

Work the usual causes in order. First, the body was modified in transit, breaking the body hash — the single most common cause. Next, the DNS public key is wrong, truncated, or revoked. Then a selector mismatch or a missing key record, so the receiver can't find a key at all. Finally, a gateway or list rewriting content after signing. The related links below drill into each.

One thing dkim=fail does not always mean: disaster. DMARC passes if either SPF or DKIM aligns, so a message can fail DKIM and still pass DMARC on an aligned SPF result — and the reverse happens too. Read dkim=fail alongside the SPF and DMARC results, not on its own.

Correct record vs common mistake

Correct

Authentication-Results: mx.example.com; dkim=pass header.d=example.com

The signature verified and the signing domain is shown. This is the result you want — pair it with an aligned d= so DMARC passes on DKIM.

Common mistake

Authentication-Results: mx.example.com; dkim=fail (body hash did not verify) header.d=example.com

The receiver couldn't verify the signature — here the body hash failed, meaning the body changed after signing. Trace the mail flow that modified it.

Troubleshooting dkim=fail

IssueLikely causeFix
dkim=fail with 'body hash did not verify'The body changed after signing — footer, disclaimer, or encoding rewriteStop the gateway or list from altering the body, or have it re-sign the message
dkim=fail with 'no key for signature'The selector has no published key, or the key was revoked or truncatedPublish or repair the key at <selector>._domainkey.<domain>, unbroken
dkim=fail but the mail is genuineForwarding or a list broke the signature, yet SPF may still alignConfirm DMARC via aligned SPF; fix DKIM signing so both legs pass where possible

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

dkim=fail across a client base is rarely one root cause — it's body-modifying gateways on one tenant, a truncated key on another, a stale selector on a third. Without per-domain report visibility, these blur into 'DKIM is flaky' and block you from confidently moving any domain to reject.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade turns raw dkim=fail results into per-sender diagnosis across every client domain — separating broken body hashes from bad keys from stale selectors — so each legitimate source is fixed and aligned before the domain is advanced to reject.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

It's the Authentication-Results verdict that a message's DKIM signature didn't verify against the published key. It flags a failure but not the cause, so it needs triage.

Check the causes in order: a body modified in transit (broken body hash), a wrong or truncated DNS key, a selector mismatch or missing key record, or a gateway rewriting content after signing. Fix the one that applies and re-test.

Not necessarily. Legitimate mail fails DKIM all the time — forwarding, mailing-list footers, and truncated keys all cause it. Read it together with SPF and DMARC before concluding anything.

Yes. DMARC passes when either SPF or DKIM aligns, so a message can fail DKIM and still pass DMARC on an aligned SPF result — and the other way around too.

Related terms

What is DKIM? DomainKeys Identified Mail explained