How to debug DKIM signature fails?

DKIM failure debugging:

Find the selector: Check email headers for DKIM-Signature header. Look for s= parameter.

Verify record exists:

dig TXT selector._domainkey.domain.com

Record should exist with p= public key.

Common failures:

Selector mismatch (signing with selector not in DNS)

Truncated public key (record too long, improperly split)

Key rotation (old key removed, messages signed with it fail)

Message modification (forwarding, mailing lists alter content)

Testing:

Send test email, check DKIM result in headers

Use mail-tester.com for detailed DKIM analysis

Verify the seal matches the registered key. Mismatches indicate configuration errors or message tampering.