What does “Invalid DKIM signature” means?

Last updated on July 1, 2019

You may have received feedback from someone trying to send you an email which was refused with a message related to DKIM signature.

DKIM stands for DomainKeys Identified Mail. It’s “an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.”

In short, the content of the email, including some headers, are signed (encrypted and hashed) and this result is added in the email header, as a “DKIM signature”.

When we receive an email that has a DKIM signature, we redo the encryption and hashing of the email and compare the result with the given signature.

As a result, if the two signatures don’t match, it means the content was altered and the email is discarded with an “Invalid DKIM Signature” message.

If the sender is legitimate, this often means that they have a configuration issue between their email sending provider or their DNS. A DKIM public key, which allows for verification, needs to placed in the DNS of the sender’s domain, via a TXT record.

If you can, ask the sender to send a test email to this service: https://tools.sparkpost.com/dkim and check the result. Often, the reason will be explained and your sender will be able to fix the issue. If the service indicates that everything is fine, don’t hesitate to reach out to us, and we’ll investigate.