This message indicates that the email includes a DKIM (DomainKeys Identified Mail) or DK (DomainKeys) signature, but the signature validity has not been confirmed. It does not necessarily mean the signature is invalid—it just has not been verified or passed validation for specific reasons.

What Does This Mean?

A DKIM or DK signature ensures:

  • Authenticity: The email is from a legitimate sender.
  • Integrity: The email has not been altered in transit.

When the message "not necessarily valid" appears:

  • Positive Possibility: The DKIM signature exists, but the recipient mail server has not verified it yet.
  • Negative Possibility: The signature or configuration has issues (e.g., DNS record missing or misconfigured).

Why the Message Appears

Email Forwarding or Alteration

  • The message was altered in transit, which invalidated the DKIM signature.
  • Common causes include:
    • Email forwarding servers adding or modifying headers.
    • Changes to email body or encoding.

Incorrect DKIM Configuration

The sender public DKIM key in DNS is missing, invalid, or does not match the private key used to sign the email.

Expired or Rotated Keys

The DKIM key has been replaced, but the DNS record has not been updated.

Mismatched Signing Domain

The domain in the d= tag of the DKIM header does not match the sender domain.

Validation Issues

The recipient mail server could not validate the DKIM signature, possibly due to a timeout or DNS lookup failure.

How to Fix and Validate DKIM

Verify the DKIM Setup

  1. Extract the DKIM Signature:
    • Examine the email headers.
    • Look for the DKIM-Signature field, which contains:
    d=example.com; s=default; ...
  2. Verify the DNS Record:
    • Locate the s= value (e.g., default) in the signature.
    • Use a DKIM lookup tool (e.g., MXToolbox DKIM Lookup) to ensure the DNS TXT record exists and is valid:
    default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE"
  3. Fix Any DNS Issues:
    • Ensure the DKIM public key matches the private key used by the mail server.

Test the DKIM Configuration

  1. Send a test email to a validator:
  2. Review the results for:
    • Valid DKIM signature.
    • Any errors or warnings about mismatched domains, expired keys, or DNS lookup failures.

Configure DMARC for Additional Validation

  1. Add a DMARC record to enforce DKIM and SPF policies:
    _dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:reports@example.com"
  2. Analyze DMARC reports to detect issues with email authentication.

Check for Email Alterations

If email forwarding or a mailing list modifies the message:

  • Use ARC (Authenticated Received Chain) to preserve the DKIM signature.
  • Ensure email headers and body remain intact.

Advanced Troubleshooting

Check Logs on the Sending Mail Server

  • Verify that the DKIM signing process is working correctly:
    • No errors in logs.
    • The correct private key is used for signing.

Look for Common Validation Errors

Issue Solution
Public key not found Add the DKIM TXT record to DNS.
Signature mismatch Ensure the private key matches the DNS public key.
Expired key Generate a new DKIM key pair and update the DNS record.
Forwarding invalidates signature Use ARC or ensure headers are not altered.

Check DNS Propagation

  • If you recently updated DNS, confirm the changes have propagated globally using tools like WhatsMyDNS.

Preventive Measures

Use Proper Key Length

Use 2048-bit keys for stronger security and compliance with modern standards.

Regularly Rotate DKIM Keys

Periodically generate new keys and update DNS records.

Use Reliable DNS

Ensure your DNS provider supports fast and reliable lookups.

Example DKIM Header

Here is an example of a valid DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=default; h=from:to:subject:date; bh=hash_value_here; b=signature_value_here;

The "DKIM or DK signature, not necessarily valid" message highlights an issue with email authentication. Use the steps above to verify your DKIM setup, ensure proper DNS configuration, and test the email authentication system.