Enhanced Status Code 5.7.14: DKIM Verification Failed
Enhanced Status Code 5.7.14 means “DKIM Verification Failed.” Your email had a DKIM signature but it failed verification. The message was modified in transit, the DKIM key in DNS does not match, or the signature is malformed. This causes authentication failure and potential DMARC rejection.
dkim=fail (body hash did not verify) header.d=example.com; 550 5.7.14 DKIM signature verification failed for this message
What does 5.7.14 mean?
Enhanced status code 5.7.14 means your email included a DKIM signature, but when the receiving server tried to verify it, the verification failed. This is worse than having no DKIM at all - a failing DKIM signature actively hurts your deliverability because it suggests the message was tampered with.
Common causes include the message being modified after signing (by a mailing list, forwarding server, or security appliance), the DKIM public key in DNS not matching the private key used for signing, or the DNS record being malformed. If you have a DMARC policy and DKIM fails, the message may be rejected entirely.
Use our DKIM Checker tool to verify your DKIM DNS record is correctly published and the public key is valid.
How 5.7.14 plays out
5.7.14 rejectionWhere 5.7.14 sits: soft vs hard bounce
| Soft bounce (4xx) | Hard bounce (5xx) | |
|---|---|---|
| Nature | Temporary | Permanent |
| SMTP class | 4xx | 5xx |
| What to do | Let it retry | Suppress the address |
| Recoverable? | Often | No |
| 5.7.14 is | ✓ this code |
Common causes of 5.7.14
- Message was modified in transit after DKIM signing (content, headers, or attachments changed)
- DKIM public key in DNS does not match the private key used for signing
- DNS record for DKIM key is malformed or has incorrect syntax
- Mailing list or forwarding server modified the message body
- DKIM key has been rotated but old key is still in use for signing
- Security appliance (anti-virus, content filter) modified the message after signing
How to fix 5.7.14
- Verify your DKIM DNS record using a DKIM Checker tool
- Ensure the private key used for signing matches the public key in DNS
- Check for intermediary servers that might modify messages after signing
- If using a forwarding or mailing list, implement ARC (Authenticated Received Chain)
- Regenerate and publish a new DKIM key pair if the current one is compromised or mismatched