Why DKIM Fails: 5 Steps to Fix DKIM Failure

Estimated reading time: 9 minutes

Email is an effective tool for corporate and personal communication in the digital age. But as phishing scams and email fraud increase in frequency, businesses need to ensure that their email correspondence is secure and trustworthy. This is where email authentication techniques are useful.

The Importance of DKIM Email Authentication

DKIM (DomainKeys Identified Mail) is an email authentication method, which allows to confirm that the email originated from the stated sender and that its content hasn’t been changed in transit. DKIM helps prove the authenticity of the outgoing email by digitally signing it. 

Furthermore, DKIM matters for the DMARC authentication protocol, which is used to stop malicious senders from distributing altered or fraudulent email communications on behalf of a legitimate business.

How Does DKIM Work?

Like for SPF and DMARC, the mechanism of the DKIM email authentication protocol involves the creation of a DNS record for a domain. The DKIM record contains the public key used by email receivers to verify the DKIM signature of the email.

The process of the DKIM authentication protocol includes these phases:

1. Creating DKIM Keys.

The sender creates a pair of cryptographic keys: the private key and the public key. The private key is stored on the sender’s email server and is used to create DKIM signatures. The public key is published as a DNS TXT record and is used by email receivers to verify a DKIM signature.

The DKIM record is published in a domain’s DNS in the following format:

selector._domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=public key”

Where:

• selector — the name of the selector indicating the DKIM key. The selector is the part of a DKIM record, which allows to identify the right public key for the DKIM signature verification. Using the selectors, the sending domain can use multiple public keys for different senders or key rotation;
• _domainkey — the pre-defined suffix for all the DKIM signatures;
• example.com — the sender’s domain;
• v=DKIM1 — the version of the DKIM protocol;
• k=rsa — the encryption algorithm;
• p=public key — the encrypted public key.

2. Adding a DKIM Signature to the Email.

The sending server uses the private key to create a digital signature using different parts of the message from the headers and body. The signature is added to the message as a header called DKIM-Signature.

Example of a DKIM-Signature header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;

s=myselector; h=from:to:subject:date:message-id; bh=base64_body_hash;

b=base64_signature;

3. Sending and Receiving the Email.

A DKIM-signed message is sent to the recipient by means of an email service provider or SMTP server.

The recipient’s server looks for the DKIM-Signature header and uses the selector indicated in the signature (s=myselector in the example above) to get the public key from the sender’s domain DNS record.

4. Verifying the DKIM Signature.

The recipient’s server uses the public key to verify the DKIM signature. It does it by encrypting the same components from the message using the public key. Then the server matches the encrypted result, a hash string, to the decrypted sender’s hash. If both strings match, the DKIM authentication passes confirming that the email was truly sent from the stated domain and wasn’t altered in transmission. 

Depending on the success or failure of the DKIM authentication verification, the recipient’s server returns the following results:

• Pass: the DKIM signature is valid and passed verification successfully.
• Fail: the DKIM signature is missing or invalid.
• Temperror: a temporary verification error (for example, due to unavailability of a DNS server).
• Permerror: a permanent verification error (for example, due to an incorrect syntax of the DNS record or a required header field being absent).

Why Does DKIM Fail? 

DKIM failure means the failed status of an email’s DKIM authentication check due to a variety of issues. The most common causes of why DKIM fails are:

1. Missing DKIM Configuration.

Disabled DKIM signing in your email service provider and missing public and private keys necessary for a DKIM authentication cause DKIM failures when mail servers try to verify the authenticity of the email. 

2. Incorrect DNS Setup.

An invalid public key or syntax errors in a DKIM record published in the domain’s DNS will lead to a DKIM authentication failure.

3. Missing Public Key.

If the message was signed with a DKIM signature but the public key wasn’t published in DNS, the receiving server is unable to do a DKIM verification. This scenario typically results in a DKIM failure with the “dkim=fail (no key for signature)” server response.

4. DNS Server Issues.

DKIM uses the Domain Name System (DNS) where the public key used for email verification is stored. DNS availability issues can lead to DKIM failures, as the receiving server may not be able to retrieve the DKIM public key from the DKIM DNS record.

5. Mail Server Issues.

The issues with the receiving server’s configuration or functionality may sometimes lead to a DKIM failure. The server may not be able to retrieve the DKIM record from DNS or create a hash to verify the signature. In this scenario, it returns a temperror for a DKIM authentication test.

6. Message Modifications.

A DKIM failure occurs when the message has been altered in transit. The DKIM verification typically returns this response:

dkim=fail (signature did not verify)

dkim=fail (DKIM-signature body hash not verified)

In this scenario, even if a single character is changed, the hash received after encrypting the message with the public key is different from the one delivered by the sending server.

A DKIM signature verification failure raises the possibility that an attacker may have altered the message. At the same time, the email’s content may be changed by intermediate servers when the message hops from server to server.

7. Expired DKIM Keys.

The public and private DKIM keys have an expiration date. When either of them expires, this makes the verification of a DKIM signature impossible and generates a DKIM failure.

8. Canonicalization Algorithm.

DKIM canonicalization is the process of converting the headers and body of an email into a standardized form before applying a DKIM signature. This ensures that the data is in a consistent format for verification.

Certain mail systems, like forwarders, may alter emails during transit, potentially invalidating the DKIM signature. To ensure the validity of a DKIM signature after minor changes to the message, the canonicalization mechanism is utilized.

Email headers and bodies are handled differently in DKIM, with different canonicalization techniques being used for each. There are two types of canonicalization for the headers and bodies: simple and relaxed.

The strict option, simple canonicalization, permits no changes to the message’s header and content. Even a minor alteration will lead to the DKIM signature invalidity and DKIM authentication failure. The relaxed canonicalization allows small alterations to be made to the email’s headers and body without causing the DKIM signature to become invalid.

The canonicalization mechanism is set by the sender in the DKIM signature added to the message. The c= tag in the signature specifies the canonicalization mode. Example:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1;

The first part before the / character sets the canonicalization mode for the headers; the second part after the / character sets the canonicalization mode for the body.

The default setting is c=simple/simple in the absence of any canonicalization specifications.

9. Missing Headers.

The DKIM signature contains the h= tag, which specifies the email’s headers that will be used in the signing algorithm to create the hash. Example:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;

s=myselector; h=from:to:subject:date:message-id; bh=base64_body_hash;

b=base64_signature;

If any of the required headers is missing, the receiving server will not be able to validate the DKIM signature and will return the DKIM failure response.

10. DKIM Identifier Alignment Mode.

DKIM identifier alignment is important for passing DMARC authentication. To verify DKIM alignment, the receiving server matches the domain appearing in the email’s “From” address to the domain that is entered in the “d=” tag of the DKIM signature inside the email header. 

There are two modes of the DKIM identifier alignment: strict and relaxed.

The strict mode requires the exact match of the domains; the relaxed mode requires that only the organizational domains match, allowing the use of a subdomain in either of the fields.

The DKIM identifier alignment mode is set in the DMARC record in the adkim= tag. Example:

v=DMARC1; p=reject; rua=mailto:email@example.com;  ruf=email2@example.com; adkim=r; fo=1;

If the adkim= tag is absent, email receivers apply the relaxed mode by default.

In the event if the domains didn’t match according to the specified mode, the recipient’s server returns the response that DKIM alignment failed. This may be a case of a domain spoofing and sender’s impersonating attack.

How to Fix DKIM Failure?

A prompt identification and fix of DKIM failures can help all the businesses, whether it’s a startup, a growing marketer, or a large-volume email sender, increase email deliverability while safeguarding the reputation of their brand.

Below are the steps you should implement to ensure your email communications successfully pass a DKIM email authentication:

1. Examine Your DKIM Configuration.

First of all, check your DKIM settings. Examine your setup to see if you are compliant with the instructions supplied by your IT department or email service provider (ESP). Make necessary adjustments to the settings if you find any differences. Ask for assistance from your IT team or ESP if you have any questions about the proper DKIM configuration.

2. Update the DKIM Keys.

Create a new key pair in accordance with the instructions supplied by your IT department or ESP. Make sure the new keys are properly associated with your sender’s domain by updating your DKIM settings. It is advised to rotate the key pairs on a regular basis, for example, every six or twelve months.

3. Verify the Email Headers.

Ensure that the email header fields specified in the DKIM signature to be used to create a hash are present in the sent and received message. 

4. Change the Canonicalization Mode. 

Many DKIM failures may be prevented by using the relaxed canonicalization mode for the header and body that allows minor modifications, which may be made by intermediate servers and forwarders.

5. Update DKIM Alignment Mode.

To fix DKIM alignment failures, examine your DMARC record for the presence of the adkim= tag. If it indicates adkim=s, this means you want to apply the strict alignment mode to DKIM. While it gives a high level of domain protection, this mode may also lead to DKIM identifier alignment failures caused by the mismatch of the domains found in the email’s “From” address and in the d= tag in the signature.

Conclusion

DKIM is a crucial email authentication protocol utilized for preserving an email’s integrity and originality. DKIM plays a vital role for the DMARC authentication mechanism, which helps email senders protect their domains against spoofing.   

The implementation of a DKIM authentication is now a requirement by Google and Yahoo, therefore it must be taken seriously by email senders. DKIM failures can lead to the important messages to be blocked or filtered out as spam. 

In GlockApps, you have the tools necessary for testing and monitoring your DKIM records, DKIM authentication, and alignment. A regular monitoring of the DKIM settings and email authentication outcomes allows you to identify DKIM failure issues and promptly address them to ensure the deliverability of your email campaigns to the target recipients.