Here’s a fun scenario: you set up DKIM two years ago, verified it worked, and never looked at it again. Meanwhile, you rotated your email service, changed a DNS record, or your provider updated their signing keys — and now every email you send has an invalid DKIM signature.
You won’t get an error. You won’t get a bounce notification. Your emails will just quietly start landing in spam, and your open rates will decay so gradually you’ll blame seasonal trends or subject line fatigue.
DKIM failures are the silent killer of email deliverability. Let’s fix that.
What Is DKIM?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The signature is generated using a private key that only your email server knows. The matching public key is published in your DNS so anyone can verify the signature.
When a receiving server gets your email, it:
-
Pulls the DKIM signature from the email header
-
Looks up your public key in DNS using the selector in the signature
-
Uses the public key to verify the signature matches the email content
-
If it matches, the email passes DKIM — meaning it wasn’t altered in transit
It’s like a wax seal on a letter. If the seal is intact, the letter hasn’t been tampered with.
Why DKIM Matters for Deliverability
DKIM does two things that directly affect whether your emails reach the inbox:
Integrity verification. DKIM proves the email content wasn’t changed between your server and the recipient. This matters because email passes through multiple servers in transit, and any of them could theoretically modify the message.
Domain reputation building. ISPs like Gmail and Outlook use DKIM to track your domain’s sending reputation over time. Consistent DKIM passes build trust. Consistent failures erode it. And once your domain reputation is damaged, clawing it back takes weeks or months.
DKIM is also required for DMARC alignment. If your SPF record doesn’t align (common when using third-party senders), DKIM is your only path to passing DMARC. Without it, your DMARC policy might as well not exist.
How to Check Your DKIM Record
DKIM is trickier to check than SPF or DMARC because you need to know your DKIM selector — a prefix that identifies which key to look up.
Your selector is usually set by your email provider. Common ones:
-
Google Workspace:
google -
Microsoft 365:
selector1,selector2 -
SendGrid:
s1,s2 -
Mailchimp:
k1
To check manually:
nslookup -type=TXT selector._domainkey.yourdomain.com
Replace “selector” with your actual selector. If a record comes back with v=DKIM1; k=rsa; p=..., you have a DKIM key published. But that alone doesn’t mean it’s working — the key needs to match what your email service is signing with.
The easier route: run your domain through our DKIM checker. It tests your selectors, validates the keys, and tells you if your signatures are actually passing.
Common DKIM Failures and How to Fix Them
Missing DKIM record in DNS
You set up DKIM in your email service but never added the DNS record. Or you added it to the wrong domain. Or your DNS migration dropped it. The fix: grab the DKIM record from your email provider’s settings and add it to DNS as a TXT record at selector._domainkey.yourdomain.com.
Key mismatch
Your email provider rotated their signing keys, but the old public key is still in your DNS. The signature and the published key don’t match, so DKIM fails on every message. Update the DNS record with the new public key from your provider.
Record too long for DNS
DKIM keys (especially 2048-bit) can exceed the 255-character limit for a single DNS TXT string. The solution: split the key into multiple strings within one TXT record. Most DNS providers handle this automatically, but some require you to manually split the value with quotes.
Body hash mismatch
This happens when something modifies the email body after signing — often a mailing list that adds a footer, or an email gateway that rewrites links. The DKIM signature covers the body content, so any modification invalidates it. If you’re using a link-tracking service or email footer injector, make sure it runs before DKIM signing, not after.
Multiple DKIM selectors conflicting
If you have multiple email services, each uses its own DKIM selector. That’s fine — you can have multiple DKIM keys. But make sure each selector’s DNS record points to the right key for the right service. Cross-wired selectors cause intermittent failures that are maddening to debug.
DKIM Best Practices
Use 2048-bit keys. 1024-bit keys still work but are increasingly discouraged. Most email providers now default to 2048-bit. If yours doesn’t, switch.
Rotate keys annually. DKIM keys don’t expire, but rotating them limits the damage if a key is compromised. Most providers make rotation straightforward — update the DNS record, wait for propagation, then remove the old one.
Always pair with SPF and DMARC. DKIM alone isn’t enough. SPF authorizes your sending servers, DKIM verifies message integrity, and DMARC ties them together with policy enforcement. All three working together is the standard. Any missing link weakens the chain.
Test after every change. Switched email providers? Updated DNS? Changed your domain registrar? Test DKIM immediately. Don’t wait for deliverability to drop — by then, your domain reputation has already taken a hit.
Monitor DMARC reports. DMARC aggregate reports show DKIM pass/fail rates across all your sending sources. If a specific source is consistently failing DKIM, you’ll see it in the reports before you see it in your email metrics.
Verify Your DKIM Signatures Now
DKIM issues hide in plain sight. Your emails look like they’re sending fine, your ESP shows “delivered,” but the DKIM signature is quietly failing in the background.
Check your DKIM setup with our free tool — it validates your selectors, checks key length, and confirms your signatures are actually passing authentication.
For the complete picture, run a full marketing audit. Email authentication is just one piece — your SEO, content, and technical health all affect whether your marketing actually reaches people.