sfw/fix
dkim=permerror high

DKIM permerror (no key for signature)

A DKIM signature is present but the receiver can't fetch a usable public key at the selector, so the check errors out.

What you see

Authentication-Results: mx.google.com;
 dkim=permerror (no key for signature) header.d=example.com header.s=s1
 header.b=Qz3kP9aL

What’s actually happening

Messages carry a DKIM-Signature header, but verification never completes — the receiver looks up the key and finds nothing usable. This is different from dkim=fail, where the key is found but the body or header hash doesn't match. With permerror the lookup itself dies: missing TXT record, wrong selector, or a CNAME that doesn't resolve. DMARC that leans on DKIM alignment then has nothing to align against, so authentication degrades even if SPF is fine.

Common causes

  • The public-key TXT record at selector._domainkey.example.com was never published, or got deleted.
  • The signing selector (the s= value) doesn't match any published selector — common after rotating keys or switching ESPs.
  • A CNAME-based key (the pattern SendGrid, Amazon SES, and others use) points to a target that no longer resolves or was never set up.
  • The TXT record is malformed — line-wrapped wrong, missing the p= tag, or has stray quotes splitting the base64 key.
  • You're signing with one selector but DNS only has the old one, because the new selector's record never propagated.

How to fix it

  1. Read the d= and s= from the failing headerOpen the message's Authentication-Results / DKIM-Signature header and note header.d (the domain) and header.s (the selector). The key must live at exactly s._domainkey.d — e.g. s1._domainkey.example.com.
  2. Query that exact name in DNSRun dig +short TXT s1._domainkey.example.com. Empty result means the record is missing or on the wrong selector. If it returns a CNAME, follow it: dig +short CNAME s1._domainkey.example.com, then resolve the target — a dead target is your permerror.
  3. Publish or fix the key recordAdd the TXT record your ESP generated (v=DKIM1; k=rsa; p=MIGfMA0...), or for SES/SendGrid add the CNAMEs they specify exactly as given. One unquoted base64 string; if your DNS provider splits long TXT values, make sure they reassemble correctly.
  4. Match the selector your mail server actually signs withIf the server signs as s2 but DNS only has s1, either point the server at s1 or publish s2._domainkey. The selector in outgoing mail and the published record name must be identical.
  5. Send a test and confirm dkim=passAfter propagation, mail yourself at Gmail, open 'Show original,' and verify dkim=pass with the right header.d. A DKIM validator that fetches the key by selector will confirm the record is readable.

Stop it recurring

When rotating DKIM keys or changing ESPs, publish the new selector's record and confirm it resolves before switching the signing selector on the mail server.

Related errors

DMARC Fails Even Though SPF/DKIM Pass (Alignment Failure)

high

SPF and DKIM pass on the ESP's own domain but neither aligns with your visible From:, so DMARC fails.

SPF PermError — Multiple SPF Records on One Domain

high

Two v=spf1 TXT records on one domain is invalid, so receivers return PermError and SPF fails on every message.

SPF SoftFail (~all) — Mail Marked Suspicious

medium

The sending IP isn't in your SPF record, so ~all returns SoftFail — accepted but pushed toward spam.

550 5.7.1 Message rejected by policy (DMARC/SPF/DKIM or blocklist)

high

The receiving server accepted the connection but refused the message on policy grounds — authentication failure or a bad sender reputation.