5 Common DKIM Mistakes (And How to Fix Them)

DKIM failures often stem from configuration mismatches that aren’t obvious. The DNS record exists but uses the wrong selector. The key is published but doesn’t match. The signature is valid but gets broken in transit. Here are the five most common DKIM mistakes and how to fix each one.

Mistake 1: Wrong Selector in DNS

The problem: Your mail server signs with one selector, but the DNS record uses a different name.

Example:

• Mail server signs with selector s1
• DNS has record at google._domainkey.domain.com

When receivers look up s1._domainkey.domain.com, they find nothing.

How to diagnose:

1. Check an email header for the selector being used:

DKIM-Signature: v=1; a=rsa-sha256; s=s1; d=domain.com; ...

The s= value is the selector.

2. Verify that selector exists in DNS:

dig txt s1._domainkey.domain.com

How to fix:

Either:

• Rename your DNS record to match the selector your server uses
• Configure your server to use the selector you have in DNS

For third-party services, use the selector they specify in their documentation.

Mistake 2: DNS Record Not Published

The problem: The DKIM record was never added to DNS, or it was added to the wrong domain.

How to diagnose:

dig txt selector._domainkey.yourdomain.com

If you get an empty response or NXDOMAIN, the record doesn’t exist.

Common causes:

• Record added to wrong domain (subdomain vs main domain)
• DNS change never saved or propagated
• Record added to wrong DNS provider (if you have multiple)
• Typo in the record name

How to fix:

1. Verify you’re editing the correct DNS zone
2. Add the TXT record at selector._domainkey.yourdomain.com
3. Wait for propagation (minutes to hours)
4. Verify with dig or online lookup

Mistake 3: Public Key Mismatch

The problem: The private key used for signing doesn’t match the public key in DNS.

This happens when:

• You regenerated keys but only updated one side
• Copy/paste error truncated the key
• Different keys generated for the same selector

How to diagnose:

DKIM check tools will show “signature verification failed” or “key mismatch” errors. The selector exists, but verification fails.

How to fix:

Regenerate a matched key pair:

1. Generate new private and public key together
2. Update your mail server with the new private key
3. Publish the new public key in DNS
4. Verify both are from the same generation

Most email providers handle key generation for you—use their process rather than manual key generation.

Mistake 4: Key Too Short or Incompatible

The problem: Your DKIM key is too short (insecure) or uses an algorithm receivers don’t support.

Key size issues:

• 512-bit: Too short, will be rejected
• 768-bit: Deprecated, may fail
• 1024-bit: Minimum acceptable, being phased out
• 2048-bit: Recommended standard
• 4096-bit: Good, but may exceed DNS limits

How to diagnose:

DKIM checkers will report key size. If you’re using an old key, it might be undersized.

How to fix:

Generate a new 2048-bit key. If your key is over 2048 bits and you’re having issues, it might be exceeding DNS TXT record limits—split it or use 2048.

Mistake 5: Email Modified After Signing

The problem: Something between your server and the recipient modified the email, breaking the DKIM signature.

DKIM signs specific headers and the body. If these change, the signature becomes invalid.

Common causes:

• Mailing lists: Add footers, modify headers
• Email forwarding: Some forwarders modify content
• Security gateways: Append disclaimers or scan/modify content
• Antivirus/DLP systems: Add headers or modify body
• Mail relays: Incorrectly configured intermediate servers

How to diagnose:

If DKIM passes when you send directly but fails through certain paths, something in that path modifies messages.

Check:

• Do you have footer/disclaimer systems?
• Are emails going through a security gateway?
• Is this happening only for forwarded mail?

How to fix:

Options depend on the cause:

• Disclaimers: Add before DKIM signing, not after
• Security gateways: Configure to preserve DKIM or re-sign
• Forwarding: Often unfixable; rely on SPF or accept some failures
• Mailing lists: Usually unfixable; lists break DKIM by design

For forwarded email, this is a known limitation. DKIM will fail, but ARC (Authenticated Received Chain) can help preserve trust if receivers support it.

Quick Diagnosis Checklist

When DKIM fails, check in order:

1. Is the selector correct?

   • Look at the email header for s= value
   • Verify DNS record exists for that selector

2. Does the DNS record exist?

   • dig txt selector._domainkey.domain.com
   • Should return a record starting with v=DKIM1

3. Is the record properly formatted?

   • No extra spaces or line breaks
   • p= contains the full public key
   • Record is valid TXT format

4. Does the key match?

   • Use DKIM validators to test signature verification
   • Regenerate matched pair if mismatch suspected

5. Is something modifying the email?

   • Test direct send vs through relay
   • Check for disclaimers, gateways, forwarders

Testing Your DKIM

Method 1: Send to Gmail

1. Send an email to a Gmail account
2. Open the email
3. Click three dots → “Show original”
4. Look for DKIM: PASS or DKIM: FAIL

Method 2: Online Validators

Use DKIM testing tools—enter your domain and selector to verify the DNS record is correct and the key is valid.

Method 3: Command Line

# Check if record exists
dig txt google._domainkey.yourdomain.com

# Should return something like:
# "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9..."

DKIM for Third-Party Senders

Each email service needs its own DKIM configuration:

Service	Typical Selector	Notes
Google Workspace	google	Auto-enabled
Microsoft 365	selector1, selector2	Two for rotation
SendGrid	s1, s2	Generated in dashboard
Mailchimp	k1	Set up via DNS

Don’t assume one DKIM setup covers all senders. Each service signs with its own key and selector.

Prevention

1. Document your selectors — Keep a list of which selector each service uses
2. Test after changes — Always verify DKIM after any DNS or mail config changes
3. Monitor DMARC reports — DKIM failures appear in aggregate reports
4. Use 2048-bit keys — Future-proof your setup

For more on DKIM, see our guide on DKIM Key Rotation.

---

Verkh monitors DKIM across all your sending sources and alerts you when failures appear. Fix DKIM issues before they affect deliverability at verkh.io.