SPF & DKIM Errors Help For SparkPost Tools

SparkPost’s free DKIM and SPF tools help you troubleshoot these notoriously fiddly email authentication standards. Here are quick explanations of common SPF and DKIM errors and warnings these tools will report. Want to learn more about using DKIM and SPF to improve your email sending? Get the lowdown on email authentication and best practices for email deliverability from SparkPost’s email experts.

DKIM Errors

These are explanations of common errors you could get from the SparkPost DKIM Validator.

No DKIM-Signature header

We need a DKIM-Signature header in order to test whether it is valid.
Invalid DKIM-Signature format

The DKIM-Signature we found doesn’t match the required format.

Learn More
DKIM-Signature must start with v tag

The version (v) tag is required, and must be first in the list.

Learn More
DKIM-Signature missing required tag

There are several required tags in a DKIM-Signature header: version (v), algorithm (a), signature (b), body hash (bh), domain (d), selector (s), and headers (h). Unrecognized tags are ignored.

Learn More
DKIM-Signature contains duplicate tag

Valid tags may only be present once, otherwise the entire signature is considered invalid.

Learn More
DKIM-Signature h tag doesn’t contain From

The From header must be included in the headers (h) tag.

Learn More
DKIM-Signature i tag not subdomain of d tag

If the optional “signing identity” (i) tag is present, whose value is usually an email address, its domain must equal, or be a subdomain of the d tag.

Learn More
DKIM-Signature expired

If the expiration (x) tag is present, and the time it specifies is in the past, then the signature has expired and is invalid.

Learn More
Invalid signing algorithm

Valid signing algorithms are rsa-sha1 and rsa-sha256 – using anything else is an error.

Learn More
Invalid canonicalization method

Valid canonicalization methods are simple and relaxed. Canonicalization refers to how the signer and recipient make sure they are operating on exactly the same message contents. For example, relaxed canonicalization requires that two or more spaces in a row be replaced with a single space.

Learn More
Public key not available from DNS

When we receive a signed message, in order to verify the signature, we need to get some data stored in the sending domain’s DNS. If we can’t get that data, we can’t verify the message. It’s possible that this is a temporary error.

Learn More
Public key in incorrect location

A common error when setting up DKIM in DNS is doubling up the domain, so that DKIM info is available at foo._domainkey.example.com.example.com instead of foo._domainkey.example.com – this is usually due to unintuitive DNS configuration user interfaces.

Learn More
Invalid DKIM record format

The data we retrieved from DNS isn’t a valid DKIM record.

Learn More
DKIM record contains duplicate tag

Valid tags may only be present once, otherwise the entire record is considered invalid.

Learn More
DKIM record missing required tag

The tag containing the public key (p) is the only one that’s required in a DKIM record.

Learn More
Invalid DKIM record version, use DKIM1

There is only one version of DKIM records as of this writing. Using anything else is an error.

Learn More
DKIM record has invalid hashing algorithm

The DKIM spec allows for one of two values for the “hashing algorithm” (h) tag: sha1 or sha256. Using anything else is an error.

Learn More
DKIM record has invalid key type

The DKIM spec allows only one value for the key type (k) tag as of this writing – RSA. Using anything else is an error.

Learn More
DKIM record has been revoked

DKIM records published to DNS with an empty p tag indicate a key that the sender has revoked.

Learn More
DKIM record has invalid service type

The DKIM spec allows for one of two values for the “service type” (s) tag: * or email. Using anything else is an error.

Learn More
Mismatch between signature and record

There are differences between the tags in the DKIM-Signature we received, and the DKIM data we retrieved from DNS.
Invalid key format

Key data must be base64-encoded.

Learn More
Body hash did not verify

This is where we get into actually verifying the contents of the message. Verifying the SHA hash of the message body is the first step, and success here still does not mean that the message is authentic.

Learn More
Signature did not verify

This step uses the RSA key retrieved from DNS, and verifies that the contents of the user-specified headers are the same as when the message was sent. One subtle but important point is that we are also verifying the contents of the DKIM-Signature header itself. Since that header contains a hash of the body of the message, we’re indirectly verifying the contents of the body along with the specified headers. The value of the b tag is removed before comparing, since that encrypted hash is what we’re verifying in this step.

Learn More
Signing the {header} header is strongly recommended!

Refers to the date and subject header. The verifier will warn if these headers are not included in the

A HELPFUL NOTE: The choice of which header fields to sign is non-obvious. One strategy is to sign all existing, non-repeatable header fields. An alternative strategy is to sign only header fields that are likely to be displayed to or otherwise be likely to affect the processing of the message at the receiver. A third strategy is to sign only “well-known” headers. Note that Verifiers may treat unsigned header fields with extreme skepticism, including refusing to display them to the end user or even ignoring the signature if it does not cover certain header fields. For this reason, signing fields present in the message such as Date, Subject, Reply-To, Sender, and all MIME header fields are highly advised.Learn More
DKIM public key not found

We could not find a DNS entry that matches your selector and domain.

SPF Errors

These are common errors you might see when using the SparkPost SPF Inspector.

No valid version found, record must start with ‘v=spf1’

A properly formatted SPF record is a DNS TXT record that must start with a version indicator, specifically “v=spf1”.

Learn More
Modifiers like {modifier} may appear only once in an SPF string

Redirect and exp modifiers can only be included once.

Learn More
One or more duplicate mechanisms were found in the policy

The same mechanism, covering the same domans/ips has been included more than once.

Learn More
SPF strings should always either use an all mechanism or a redirect modifier to explicitly terminate processing.

An SPF string must end with either a redirect mechanism or an all mechanism.

Learn More
One or more mechanisms were found after the all mechanism. These mechanisms will be ignored

SPF record processing stops once an all mechanism is encountered, so anything after the all will be ignored

Learn More
The redirect modifier will not be used, because the SPF string contains an all mechanism. A redirect modifier is only used after all mechanisms fail to match, but all will always match

An all mechanism after a redirect mechanism will cause the redirect to be ignored.

Learn More
Unknown standalone term ‘{term}’

A term found in the SPF record is not one of the valid SPF terms (v, a, mx, etc.)

Learn More
Missing or blank mandatory network specification for the ‘ip4’ mechanism.

The ip4 mechanism must be followed by an IPv4 network specification and an optional CIDR length mask

Learn More
Invalid IP address: ‘{ip}’

IP network specifications following the ip4 mechanism must be properly formatted IPv4 addresses (e.g., dotted quads, with each number ranging from 0 to 255, inclusive)

Learn More
Invalid CIDR format: ‘{value}’

The CIDR length mask specified is either out of range or otherwise incorrect

Learn More
Missing or blank mandatory network specification for the ‘ip6’ mechanism.

The ip6 mechanism must be followed by an IPv6 network specification and an optional CIDR length mask

Learn More
Invalid IPv6 address: ‘{ip}’

IP network specifications following the ip6 mechanism must be properly formatted IPv6 addresses.

Learn More
Invalid CIDR format: ‘{value}’

The CIDR length mask specified is either out of range or otherwise incorrect.

Learn More
Blank argument for the ‘{name}’ mechanism

This means the record is incorrectly formatted: we have found a : or / with no trailing information.

Learn More
Invalid domain for the ‘{name}’ mechanism: ‘{value}’

The domain specified with the a, mx, or ptr mechanism is improperly formattedInvalid domain for the ‘{name}’ mechanism: ‘{value}’.

Learn More
Missing mandatory argument for the ‘{name}’ mechanism

These mechanisms require an argument, but it is missing, e.g., redirect.

Learn More
Blank argument for the ‘{name}’ mechanism

Similar to the above error, but the assignment operator is present, e.g., redirect=.

Learn More
Invalid domain for the ‘{name}’ mechanism: ‘{value}’

The domain specified with the a, mx, or ptr mechanism is improperly formatted.

Learn More
Resolution requiring more than 10 DNS lookups

The SPF specification limits to ten the number of total DNS lookups needed to resolve an SPF record.

Learn More
Problem retrieving TXT records for {domain}

Could not find a DNS TXT record for this domain.

Learn More
{domain} does not have an SPF record

Could not find a valid SPF record for this domain.

Learn More
{domain} has more than 1 SPF record

Domains may have exactly 1 SPF record.

Learn More
Cannot find {recordType} records for {domain}

There is a missing DNS record, either A, AAAA, or MX.

Learn More

Get Started Today!

Try SparkPost and see how we deliver far more value than the competition.