The receiving server requires messages from your domain to be signed with DKIM, but your message had no DKIM signature. Configure DKIM signing on your sending server to resolve this.
What Does Error 5.7.13 Mean?
Enhanced status code 5.7.13 means the receiving server requires DKIM signatures on emails from your domain, but your message was not DKIM-signed. This indicates the receiving organization has a policy that mandates DKIM authentication for your specific domain or for all incoming messages.
DKIM signing is considered a best practice and is required by major providers like Gmail and Yahoo for bulk senders. If you are not signing your emails with DKIM, you should implement it immediately - it improves deliverability across all providers, not just the one returning this error.
Common Causes
- DKIM is not configured on your sending server or ESP
- DKIM signing is configured but not working correctly
- Sending from a server or service that does not support DKIM
- DKIM key was removed from DNS or has expired
How to Fix Error 5.7.13
- Configure DKIM signing on your MTA or through your ESP
- Verify your DKIM DNS record is correctly published using a DKIM Checker
- Ensure the DKIM private key matches the public key in DNS
- Test DKIM by sending to a Gmail address and checking authentication results
Frequently Asked Questions
Error 5.7.13 indicates that the recipient's mail server requires DKIM signing for incoming messages, but your email either lacked a DKIM signature or the signature was invalid. According to the IANA SMTP Enhanced Status Code registry, X.7.13 relates to a required authentication mechanism that was not provided. The receiving server's policy mandates DKIM authentication, and your message did not meet this requirement.
Configure DKIM signing on your mail server or email service provider. This involves generating a DKIM key pair (public and private), publishing the public key as a TXT record in your domain's DNS under the appropriate selector (e.g., selector1._domainkey.yourdomain.com), and configuring your mail server to sign all outbound messages with the private key. Use a key length of at least 2048 bits for security. Most ESPs like Gmail, Microsoft 365, and SendGrid provide guided DKIM setup in their admin consoles.
A DKIM signature can be present but still fail validation if the message was modified after signing (by a gateway, footer injection, or forwarding service), if the DKIM selector or key has been rotated in DNS but the mail server is still signing with the old key, or if there is a domain alignment mismatch under DMARC policy. Verify the DKIM selector referenced in the message header matches the DNS record, and ensure no intermediate systems are altering signed content.
DKIM is not universally mandatory under SMTP standards, but it is effectively required for reliable email delivery in practice. Gmail, Microsoft 365, Yahoo, and Apple iCloud all check DKIM signatures and penalize or reject unsigned mail. Since February 2024, Gmail and Yahoo require DKIM authentication for all senders, with bulk senders (5,000+ messages per day) facing stricter requirements including DMARC alignment. Without DKIM, your emails are far more likely to be flagged as spam or rejected.