DKIM Signature Explained
The DKIM-Signature header is added by the sending server and contains the signature, the selector, the domain, and hashes of the signed headers and body. Receivers use this to fetch the public key from DNS and verify that the message was not modified. Understanding the header fields helps you debug verification failures and alignment issues.
One-Minute Fix
Ensure the domain (d=) and selector (s=) in the DKIM-Signature header match the DNS record location. If the body hash fails, check for modifications (gateways, footers, forwarding) that occur after signing.
v=1; a=rsa-sha256; d=example.com; s=selector1;
h=From:To:Subject:Date; bh=base64hash; b=base64signatured= is the signing domain, s= is the selector. The receiver fetches the public key from s._domainkey.d. bh= is the body hash; b= is the signature over the listed headers.
Re-checkWrong vs correct setup
Mismatched domain or selector
d=mail.example.com; s=selector1
DNS: selector1._domainkey.example.comThe header says d=mail.example.com but the DNS record is under example.com. Alignment fails when the From domain is example.com and d= does not match.
Aligned signature
d=example.com; s=selector1
DNS: selector1._domainkey.example.comThe signing domain matches the DNS location. For DMARC alignment, d= should match or be a subdomain of the From domain.
Why the signature matters
The signature proves the message was not altered in transit. If the body or signed headers change after signing, the verification fails. Gateways, mailing lists, and forwarded mail often cause body hash mismatches.
Why signature verification fails
- Body hash mismatch when content is modified after signing.
- Selector or domain mismatch between header and DNS.
- Expired or missing public key in DNS.
- Wrong headers included in the signed set.
How signatures affect deliverability
Passing DKIM verification is a strong trust signal. When signatures fail, receivers treat the message with less confidence. Fixing alignment and body hash issues restores full DKIM value for deliverability.
Common verification failures
- A gateway or relay modified the message body.
- Footer insertion or tracking pixels changed the body.
- The selector in the header does not match DNS.
- The signing domain (d=) does not align with From.
What we checked
We inspect DKIM-Signature headers when available and compare d= and s= to DNS. We also flag common causes of body hash mismatch.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
What is the body hash (bh=)?
bh= is a hash of the message body. If the body changes after signing, the hash no longer matches and verification fails.
What does h= specify?
h= lists the headers that were signed. The receiver recomputes the signature over those headers to verify integrity.
Why does forwarding break DKIM?
Forwarding often adds headers or modifies the body. The original signature no longer matches, so verification fails.
Next steps
- Inspect the DKIM-Signature header in a test message.
- Verify d= and s= match your DNS record location.
- Check for modifications (gateways, footers) that affect the body.
- Ensure signing happens after all content changes.
- Re-test with a clean delivery path.
- Review the full troubleshooting guidance in the DKIM Hub.
- Explore sender authorization issues in the SPF Hub.
- Review alignment and policy issues in the DMARC Hub.