DKIM failed (dkim=fail): why your signature did not verify

What dkim=fail means

A dkim=fail in a message's Authentication-Results header means the message was signed, but the signature did not verify (RFC 8601). That is different from dkim=none (not signed at all) and from temperror (a transient problem, like a DNS timeout, that might pass on a retry).

A DKIM signature covers two things, and either can be the failure:

• the body hash (bh=): a fingerprint of the message body. If the body changed after signing, the body hash will not match, and receivers report this specifically as “body hash did not verify.”
• the signature (b=): the cryptographic signature over the signed headers. If a signed header changed, or the published key does not match, this fails.

What causes it

In rough order of how often each one bites:

• The message was modified in transit (the number-one cause). A mailing list appends a footer, prepends [list-name] to the subject, or rewrites links; a forwarder or security gateway alters the body. Any change to the signed content breaks the body hash. (DKIM has an optional l= body-length tag meant to tolerate appended footers, but it carries a known weakness, content added past the signed length still verifies, so most senders avoid it.)
• The selector is gone or wrong. Receivers fetch your public key from <selector>._domainkey.yourdomain. If that record was removed, rotated away, or returns an empty p= (which signals a revoked key), verification fails.
• The signature expired. A signature with an x= expiration that has passed, or badly skewed clocks, will not verify.
• A gateway rewrites the message after signing. Outbound appliances that modify mail after DKIM has signed it invalidate the signature.
• A weak or deprecated algorithm or key. rsa-sha1 is no longer allowed (RFC 8301); 1024-bit keys are below the recommended 2048-bit strength.

Where you will see it

On Gmail, a bulk sender that fails DKIM gets:

550-5.7.30 This message was blocked because it didn't pass DKIM
authentication. Gmail requires bulk email senders to authenticate
their email with DKIM.

The rate-limited (temporary) version is 421-4.7.30.

How to fix it

• Confirm the key is published. Read the s= selector from the failing DKIM-Signature, then check that <selector>._domainkey.yourdomain resolves to a TXT record with a non-empty p=. An empty p= means the key was revoked.
• Stop modifying signed messages. If a list, forwarder, or gateway is changing the body or signed headers, either turn off that modification or have that hop re-sign the message with its own domain.
• Align the signing domain with your From. A signature only helps DMARC if its d= domain aligns with your From: domain. If the service signs with its own domain, switch to a branded (CNAME-delegated) DKIM key for your domain.
• Rotate to a 2048-bit key and make sure you are not using rsa-sha1.
• For forwarded mail and lists, DKIM is the signal that can survive (SPF will not), and ARC lets a forwarder carry the original authentication result to the next hop.

How it relates to DMARC

A dkim=failrarely bounces a message on its own. It matters because DKIM is one of DMARC's two inputs: DMARC passes if either SPF or DKIM passes and aligns with your From: domain. A message can carry several DKIM signatures, and DMARC passes if any one of them is aligned and verifies. Aligned DKIM is also the half that survives forwarding, which is why it is the more reliable way to pass DMARC for third-party senders.

Frequently asked

What does dkim=fail mean?

It means the message was signed but the signature did not verify, which is different from not being signed at all (dkim=none) or a temporary error (temperror). Either the body was changed after signing, or the signing key or signed headers did not match.

What does “body hash did not verify” mean?

A DKIM signature includes a fingerprint of the message body. If anything changed the body after it was signed (a forwarder or mailing-list footer, a gateway rewrite), the fingerprint no longer matches and you get this specific failure.

Why does DKIM fail on forwarded mail or mailing lists?

Because they often modify the message: appending a footer, changing the subject, or rewriting links. Any change to the signed content breaks the body hash. ARC is the mechanism designed to carry the original authentication result across these hops.

Does a DKIM failure mean my mail bounces?

Usually not on its own. It matters as a DMARC input: DMARC passes if either DKIM or SPF passes and aligns with your From: domain. If neither does, DMARC fails and your published policy decides what happens.