SparkPost’s free DKIM and SPF tools help you troubleshoot these notoriously fiddly email authentication standards. Here are quick explanations of common SPF and DKIM errors and warnings these tools will report. Want to learn more about using DKIM and SPF to improve your email sending? Get the lowdown on email authentication and best practices for email deliverability from SparkPost’s email experts.

DKIM Errors

These are explanations of common errors you could get from the SparkPost DKIM Validator.

No DKIM-Signature header

We need a DKIM-Signature header in order to test whether it is valid.

Invalid DKIM-Signature format

The DKIM-Signature we found doesn’t match the required format.

DKIM-Signature must start with v tag

The version (v) tag is required, and must be first in the list.

DKIM-Signature missing required tag

There are several required tags in a DKIM-Signature header: version (v), algorithm (a), signature (b), body hash (bh), domain (d), selector (s), and headers (h). Unrecognized tags are ignored.

DKIM-Signature contains duplicate tag

Valid tags may only be present once, otherwise the entire signature is considered invalid.

DKIM-Signature h tag doesn't contain From

The From header must be included in the headers (h) tag.

DKIM-Signature i tag not subdomain of d tag

If the optional “signing identity” (i) tag is present, whose value is usually an email address, its domain must equal, or be a subdomain of the d tag.

DKIM-Signature expired

If the expiration (x) tag is present, and the time it specifies is in the past, then the signature has expired and is invalid.

Invalid signing algorithm

Valid signing algorithms are rsa-sha1 and rsa-sha256 – using anything else is an error.

Invalid canonicalization method

Valid canonicalization methods are simple and relaxed. Canonicalization refers to how the signer and recipient make sure they are operating on exactly the same message contents. For example, relaxed canonicalization requires that two or more spaces in a row be replaced with a single space.

Public key not available from DNS

When we receive a signed message, in order to verify the signature, we need to get some data stored in the sending domain’s DNS. If we can’t get that data, we can’t verify the message. It’s possible that this is a temporary error.

Public key in incorrect location

A common error when setting up DKIM in DNS is doubling up the domain, so that DKIM info is available at foo._domainkey.example.com.example.com instead of foo._domainkey.example.com – this is usually due to unintuitive DNS configuration user interfaces.

Invalid DKIM record format

The data we retrieved from DNS isn’t a valid DKIM record.

DKIM record contains duplicate tag

Valid tags may only be present once, otherwise the entire record is considered invalid.

DKIM record missing required tag

The tag containing the public key (p) is the only one that’s required in a DKIM record.

Invalid DKIM record version, use DKIM1

There is only one version of DKIM records as of this writing. Using anything else is an error.

DKIM record has invalid hashing algorithm

The DKIM spec allows for one of two values for the “hashing algorithm” (h) tag: sha1 or sha256. Using anything else is an error.

DKIM record has invalid key type

The DKIM spec allows only one value for the key type (k) tag as of this writing – RSA. Using anything else is an error.

DKIM record has been revoked

DKIM records published to DNS with an empty p tag indicate a key that the sender has revoked.

DKIM record has invalid service type

The DKIM spec allows for one of two values for the “service type” (s) tag: * or email. Using anything else is an error.

Mismatch between signature and record

There are differences between the tags in the DKIM-Signature we received, and the DKIM data we retrieved from DNS.

Invalid key format

Key data must be base64-encoded.

Body hash did not verify

This is where we get into actually verifying the contents of the message. Verifying the SHA hash of the message body is the first step, and success here still does not mean that the message is authentic.

Signature did not verify

This step uses the RSA key retrieved from DNS, and verifies that the contents of the user-specified headers are the same as when the message was sent. One subtle but important point is that we are also verifying the contents of the DKIM-Signature header itself. Since that header contains a hash of the body of the message, we’re indirectly verifying the contents of the body along with the specified headers. The value of the b tag is removed before comparing, since that encrypted hash is what we’re verifying in this step.

Signing the {header} header is strongly recommended!

Refers to the date and subject header. The verifier will warn if these headers are not included in the

A HELPFUL NOTE: The choice of which header fields to sign is non-obvious. One strategy is to sign all existing, non-repeatable header fields. An alternative strategy is to sign only header fields that are likely to be displayed to or otherwise be likely to affect the processing of the message at the receiver. A third strategy is to sign only “well-known” headers. Note that Verifiers may treat unsigned header fields with extreme skepticism, including refusing to display them to the end user or even ignoring the signature if it does not cover certain header fields. For this reason, signing fields present in the message such as Date, Subject, Reply-To, Sender, and all MIME header fields are highly advised.

DKIM public key not found

We could not find a DNS entry that matches your selector and domain.

SPF Errors

These are common errors you might see when using the SparkPost SPF Inspector.

No valid version found, record must start with 'v=spf1'

A properly formatted SPF record is a DNS TXT record that must start with a version indicator, specifically “v=spf1”.

Modifiers like {modifier} may appear only once in an SPF string

Redirect and exp modifiers can only be included once.

One or more duplicate mechanisms were found in the policy

The same mechanism, covering the same domans/ips has been included more than once.

SPF strings should always either use an all mechanism or a redirect modifier to explicitly terminate processing.

An SPF string must end with either a redirect mechanism or an all mechanism.

One or more mechanisms were found after the all mechanism. These mechanisms will be ignored

SPF record processing stops once an all mechanism is encountered, so anything after the all will be ignored

The redirect modifier will not be used, because the SPF string contains an all mechanism. A redirect modifier is only used after all mechanisms fail to match, but all will always match

An all mechanism after a redirect mechanism will cause the redirect to be ignored.

Unknown standalone term '{term}'

A term found in the SPF record is not one of the valid SPF terms (v, a, mx, etc.)

Missing or blank mandatory network specification for the 'ip4' mechanism.

The ip4 mechanism must be followed by an IPv4 network specification and an optional CIDR length mask

Invalid IP address: '{ip}'

IP network specifications following the ip4 mechanism must be properly formatted IPv4 addresses (e.g., dotted quads, with each number ranging from 0 to 255, inclusive)

Invalid CIDR format: '{value}'

The CIDR length mask specified is either out of range or otherwise incorrect

Missing or blank mandatory network specification for the 'ip6' mechanism.

The ip6 mechanism must be followed by an IPv6 network specification and an optional CIDR length mask

Invalid IPv6 address: '{ip}'

IP network specifications following the ip6 mechanism must be properly formatted IPv6 addresses.

Invalid CIDR format: '{value}'

The CIDR length mask specified is either out of range or otherwise incorrect.

Blank argument for the '{name}' mechanism

This means the record is incorrectly formatted: we have found a : or / with no trailing information.

Invalid domain for the '{name}' mechanism: '{value}'

The domain specified with the a, mx, or ptr mechanism is improperly formattedInvalid domain for the ‘{name}’ mechanism: ‘{value}’.

Missing mandatory argument for the '{name}' mechanism

These mechanisms require an argument, but it is missing, e.g., redirect.

Blank argument for the '{name}' mechanism

Similar to the above error, but the assignment operator is present, e.g., redirect=.

Invalid domain for the '{name}' mechanism: '{value}'

The domain specified with the a, mx, or ptr mechanism is improperly formatted.

Resolution requiring more than 10 DNS lookups

The SPF specification limits to ten the number of total DNS lookups needed to resolve an SPF record.

Problem retrieving TXT records for {domain}

Could not find a DNS TXT record for this domain.

{domain} does not have an SPF record

Could not find a valid SPF record for this domain.

{domain} has more than 1 SPF record

Domains may have exactly 1 SPF record.

Cannot find {recordType} records for {domain}

There is a missing DNS record, either A, AAAA, or MX.