How to fix “Your DKIM signature is not valid” error

by DuoCircle

 

Email authentication protocols are the foundation of your email security strategy, and even the most seemingly insignificant error can mess up your deliverability and security. One such issue is an invalid DKIM signature, which means there are inaccuracies in your domain’s DomainKeys Identified Mail (DKIM) configuration.

It goes without saying that fixing this problem is important unless you want to risk having your messages tampered with and put your brand’s reputation at stake. In this article, we will take you through the steps involved in remedying this error and ensuring that emails reach their intended recipients safely and efficiently. But before we get into the process, let us understand what DKIM signatures are and the factors that lead to an invalid signature. 

 

What are DKIM signatures?

DKIM is an email authentication protocol that relies on public and private key cryptography to verify that an email has not been altered on its way to the recipient’s inbox. To make this happen, you need two keys. The private key is used by your server to create a unique digital signature that goes into the email header.

 

Public Key and Private Key Cryptography

 

As for the public key, it is published on the DNS record so that the recipient’s server can refer to it while verifying the authenticity of the incoming message. In this article, our focus will be on the unique digital signature that we mentioned earlier.

The DKIM signature is not like the usual email signature that you spot at the bottom of your message. This one is added to the email header and is not visible to the users. Despite being invisible, what it does is offer a sense of satisfaction to your recipients that the email they are receiving is untampered and not strategically changed by a cyber attacker to get unauthorized access into their system.

 

What are the common tags of a DKIM signature?

For a DKIM signature to do what it is supposed to, it must include DKIM tags, some of which are required while others are optional. If these tags are not properly configured, your messages will fail verification and might end up in spam.

Here’s a breakdown of some of the most common tags that you should include in your DKIM signature:

  • v (Version): This tag simply indicates the version of DKIM being deployed. If you use “v=DKIM1”, it means that the first version of DKIM is used in the particular email. Ideally, the value should be set to 1.
  • a (Algorithm): “a” stands for algorithm in the DKIM signature and signifies the cryptographic algorithm used to create the signature. You should configure DKIM with “a” tag value set to: rsa-sha256.
  • d (Domain): This tag indicates the domain that owns the DKIM key used for the signature. If your company’s domain is “abc.com,” the tag will be “d=abc.com.” 
  • s (Selector): This tag points to the specific DKIM selector used to locate the public key in the DNS record. 
  • b (Signature): The b= tag includes the actual cryptographic signature generated by the email server for the entire message.
  • h (Signed Headers): This tag lists the email headers that were a part of the DKIM signature algorithm to create the hash in the b= tag. The value of the h= tag is fixed and cannot be altered.

While all of these tags are an integral aspect of the DKIM signature, establishing them is no easy feat! Even the slightest discrepancy can deem the signature invalid and throw off all your efforts toward building a secure communication channel. 

 

email authentication

 

What makes a DKIM signature invalid?

If you come across a “DKIM Signature Is Not Valid” error message, there are other reasons for it to happen apart from incorrect tags. Let us take a look at some of them:

  • The first and most obvious reason is that your DKIM signature domain and sender domain don’t match each other, which raises questions about the authenticity of the email.
  • There are errors in the public key available on the DNS, or you haven’t published it at all. 
  • Sometimes, the server cannot reach the sender’s domain DNS zone for lookup, which leads to an invalid DKIM signature. If this is the case, chances are that your hosting providers are not up to the mark.
  • The DKIM key published is shorter than 1024 bits. Ideally, it should be 2048 bits to reduce the risk of security vulnerabilities and emails being rejected by the email providers. 
  • If the message is altered during auto-forward, it can invalidate the DKIM signature, giving the receiving mail server the impression that the email was tampered with by a cyber attacker

 

How to fix an invalid DKIM signature?

Even though you might have aligned the DKIM record with utmost attention to detail, if you still see the “DKIM Signature is Not Valid” message, don’t fret! We can help you troubleshoot it.

  • Run your existing DKIM record through a DKIM checker or a validator. The tool will check your record for errors, such as whether it is published, whether it has any syntax issues, or whether the public key is present.
  • Once you have identified the discrepancies, edit the DNS record by entering the correct value.
  • Save the changes you have made. These changes do take some time to update. 

 

 DKIM record

 

One thing is clear: it involves careful attention to detail and a systematic approach to identifying and correcting issues in a DKIM signature. This is why it is recommended to use reliable DKIM lookup tools to determine these mistakes and seamlessly fix them. These tools will not only make the process easy but also reduce the chances of human error, which can cost your email deliverability and reputation.

Worried if your DKIM is properly aligned? With DuoCircle by your side, you don’t have to worry about configuring and maintaining such a crucial element of your email security strategy. You can trust our team of experts to guide you through setting up and optimizing DKIM so that your emails reach their destination without a hitch. Contact us or book your demo today!

Pin It on Pinterest

Share This