How to Fix DKIM (Complete Setup & Troubleshooting Guide)

Complete guide to setting up DKIM correctly and fixing common DKIM failures that hurt deliverability.

Published: 2026-01-22 | Updated: 2026-01-22 | Read time: 7 min

Key Takeaways

• DKIM proves your email wasn't modified in transit with a digital signature
• Each email service needs its own DKIM setup with a unique selector
• Alignment requires the d= domain in DKIM signature to match your From address
• DNS record formatting issues (line breaks, quotes) cause most failures
• Check email headers for 'dkim=pass' to verify correct configuration

Understanding DKIM

DKIM (DomainKeys Identified Mail) is a digital signature for your emails. It proves two things: 1. The email came from your domain — Not a spoofed impersonation 2. The content wasn't altered — No tampering in transit

Why DKIM Matters

Without DKIM:

• Email providers can't verify your messages are authentic
• Your emails are more likely to land in spam
• You can't achieve DMARC alignment
• Gmail and Yahoo requirements aren't met

What You'll Learn

1. How to check if DKIM is working 2. How to set up DKIM for your provider 3. How to troubleshoot common failures 4. How to verify your fix worked

Step 1: Check Your Current DKIM Status

Quick Check with MailRisk

Scan your domain with MailRisk to see:

• Whether DKIM is configured
• If DKIM is passing
• Whether DKIM is aligned with your domain

Check via Email Headers

Send an email to yourself (Gmail account works best): 1. Open the email in Gmail 2. Click the three dots → "Show original" 3. Look for the DKIM result: `` DKIM: PASS (signature verified) ` or ` DKIM: FAIL (signature didn't verify) `

Check Your DNS Record

DKIM records are stored at: selector._domainkey.yourdomain.com Using dig (macOS/Linux): `bash dig TXT google._domainkey.yourdomain.com ` Using nslookup (Windows): `powershell nslookup -type=TXT google._domainkey.yourdomain.com `` Replace "google" with your DKIM selector (varies by provider).

Common Selectors by Provider

| Provider | Selector | |----------|----------| | Google Workspace | google | | Microsoft 365 | selector1, selector2 | | SendGrid | s1, s2 | | Mailgun | Various (check settings) | | Amazon SES | Custom per account |

Step 2: Set Up DKIM

General Process

DKIM setup has two parts: 1. Generate keys in your email provider — Creates public/private key pair 2. Add public key to DNS — Lets receivers verify your signatures

Google Workspace

1. Go to admin.google.com 2. Navigate to Apps → Google Workspace → Gmail 3. Click "Authenticate email" 4. Click "Generate New Record" 5. Choose key length (2048-bit recommended) 6. Copy the DNS record provided 7. Add TXT record to your DNS: - Name: google._domainkey - Value: (the value Google provides) 8. Return to Admin Console and click "Start authentication"

Microsoft 365

1. Go to security.microsoft.com 2. Navigate to Email & collaboration → Policies 3. Click on DKIM settings 4. Select your domain 5. Enable DKIM signing 6. Add the CNAME records Microsoft provides: - selector1._domainkey.yourdomain.com - selector2._domainkey.yourdomain.com

SendGrid

1. Log into SendGrid dashboard 2. Go to Settings → Sender Authentication 3. Click "Authenticate Your Domain" 4. Follow the wizard to get your DNS records 5. Add the provided CNAME records to your DNS

Other Providers

Check your email provider's documentation for specific instructions. The process is similar: 1. Find DKIM settings in your provider's dashboard 2. Generate or retrieve your DKIM record 3. Add the record to your DNS 4. Verify in your provider's settings

Step 3: Troubleshoot Common Failures

DKIM Signature Not Found

Symptoms:

• "dkim=none" in email headers
• MailRisk shows DKIM not configured

Causes & Fixes: | Cause | Fix | |-------|-----| | DKIM not enabled in provider | Enable DKIM in email provider settings | | DNS record missing | Add the DKIM TXT/CNAME record | | Wrong selector name | Verify selector matches what provider uses | | DNS propagation pending | Wait 24-48 hours |

DKIM Signature Invalid

Symptoms:

• "dkim=fail" in email headers
• "signature verification failed"

Causes & Fixes: | Cause | Fix | |-------|-----| | DNS record has errors | Copy exact value from provider (no extra spaces) | | Key truncated | Use CNAME if TXT is too long for your DNS | | Email modified in transit | Check for email gateways that alter content | | Old key rotated | Update DNS with new key from provider |

DKIM Alignment Failure

Symptoms:

• DKIM passes but DMARC fails
• "dkim=pass" but "dmarc=fail"

The Issue: The domain in the DKIM signature (d=) doesn't match your From domain. Common Scenario: You send from yourname@yourdomain.com, but your email service signs with d=emailservice.com instead of d=yourdomain.com. Fix: Set up custom DKIM with your own domain in your email provider's settings.

Advanced Troubleshooting

Body Hash Mismatch

Error: "body hash did not verify" Causes:

• Email content was modified after signing
• Antivirus or security gateway altered the email
• Mailing list added a footer

Fix: Identify what's modifying your emails. Check for:

• Security appliances that rewrite content
• Mailing list software adding disclaimers
• Forwarding rules that modify messages

Selector Not Found

Error: "DKIM selector not found in DNS" Causes:

• Wrong selector name
• DNS record at wrong location
• DNS not propagated yet

Fix: 1. Verify selector name in your provider settings 2. Check DNS record is at: selector._domainkey.yourdomain.com 3. Wait for DNS propagation (up to 48 hours)

Multiple Email Services

If you use multiple services (Gmail + SendGrid + Mailchimp), each needs its own DKIM: | Service | DKIM Record Location | |---------|---------------------| | Google | google._domainkey.yourdomain.com | | SendGrid | s1._domainkey.yourdomain.com | | Mailchimp | k1._domainkey.yourdomain.com | Each service signs with its own selector, all can coexist.

Key Length Issues

1024-bit keys are being deprecated. Use 2048-bit when possible. If your DNS doesn't support 2048-bit (long TXT records):

• Use CNAME records instead of TXT
• Some providers split the key across multiple strings
• Contact your DNS provider for character limits

Step 4: Verify Your Fix

Wait for DNS Propagation

DNS changes can take 15 minutes to 48 hours. Check propagation:

• whatsmydns.net — Check global DNS propagation
• Try the dig/nslookup commands from Step 1

Test with MailRisk

Scan your domain again to verify:

• ✅ DKIM Exists: Yes
• ✅ DKIM Valid: Yes
• ✅ DKIM Aligned: Yes

Send a Test Email

1. Send to a Gmail account 2. Open and view "Show original" 3. Look for: dkim=pass Full pass example: `` Authentication-Results: mx.google.com; dkim=pass header.i=@yourdomain.com header.s=google header.b=abc123; `

Verify DMARC Alignment

If DKIM passes but DMARC fails, check alignment:

• The d= domain in DKIM signature must match (or be subdomain of) your From domain
• Example: d=yourdomain.com for emails from user@yourdomain.com

Ongoing Monitoring

Set up DMARC reporting to catch DKIM failures: `dns _dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com" `` Review reports weekly to catch issues before they impact deliverability.

DKIM FAQ

How long does DKIM take to start working?

After adding DNS records: 15 minutes to 48 hours for propagation. Usually works within 1-2 hours.

Do I need DKIM if I have SPF?

Yes. SPF verifies the sending server. DKIM verifies the message content and your domain. Together with DMARC, they provide complete authentication.

Can I have multiple DKIM records?

Yes—use different selectors for each. You can have Google, SendGrid, and Mailchimp all configured simultaneously.

What's the difference between DKIM selectors?

Selectors identify which public key to use for verification. Each email service uses its own selector:

• google._domainkey — Google Workspace
• selector1._domainkey — Microsoft 365
• s1._domainkey — SendGrid

Will DKIM break if I change email providers?

The old DKIM will stop working for the old provider. Set up new DKIM for your new provider before completing the switch.

Should I use 1024-bit or 2048-bit keys?

2048-bit whenever possible. 1024-bit is being deprecated and provides weaker security. Most modern DNS providers support 2048-bit.

Why does DKIM fail after forwarding?

Email forwarding often breaks DKIM because:

• The forwarder may modify content (adding headers/footers)
• This changes the message body hash
• DKIM verification fails on the modified content

This is expected behavior—DMARC's SPF check provides a backup.