How to Ask Your ESP to Fix DKIM (With Templates)

ESP support teams often struggle with DKIM issues because authentication problems require technical knowledge their front-line staff may not have. To get faster resolution, you need to provide specific information, use the right terminology, and know when to escalate.

This guide gives you templates for common scenarios and tips for communicating effectively with vendor support.

Why ESP Support Conversations Go Badly

Typical frustrating exchange:

You: “DKIM isn’t working for our domain.”

Support: “I see you have authentication enabled. Everything looks correct on our end.”

You: “But our DMARC reports show DKIM failures.”

Support: “You’ll need to check your DNS settings. Here’s our help article.”

The problem: support sees their system says “enabled” but doesn’t understand why authentication still fails. You need to bridge the gap.

Before You Contact Support

Gather this information:

1. Your Domain Name

Obvious, but specify the exact domain. mail.company.com and company.com are different.

2. The DKIM Selector

The selector is the prefix before ._domainkey.yourdomain.com. Common selectors:

ESP	Typical Selector
Mailchimp	k1
SendGrid	s1, s2
Google Workspace	google
Microsoft 365	selector1, selector2
Postmark	pm

Check your DNS for records like s1._domainkey.yourdomain.com.

3. The Specific Error

Look up the DKIM record and note what happens:

dig txt s1._domainkey.yourdomain.com

Possible results:

• No record found: DNS record missing
• Record exists but wrong format: Configuration error
• Record exists but signature fails: Key mismatch

4. Evidence from DMARC Reports

Find the specific failure in your reports:

<auth_results>
  <dkim>
    <domain>yourdomain.com</domain>
    <selector>s1</selector>
    <result>fail</result>
  </dkim>
</auth_results>

This proves the failure is happening, not just suspected.

Template 1: Initial Contact

Subject: DKIM authentication failing for [yourdomain.com] - need technical assistance

---

Hi,

I’m experiencing DKIM authentication failures for emails sent through your platform. I need help resolving this.

Domain: yourdomain.com

DKIM selector: [s1 or whatever selector they provided]

Current status:

• I’ve added the DNS records per your documentation
• The DKIM record is visible in DNS (verified via dig/nslookup)
• DMARC reports from Gmail/Microsoft show DKIM result: fail

Evidence: Our DMARC reports show DKIM failures for emails originating from your IPs:

• Source IP: [IP from your report]
• DKIM result: fail
• Selector checked: [selector]

Could you please:

1. Verify that DKIM signing is enabled for our account
2. Confirm the correct DKIM selector we should be using
3. Check if there’s a configuration issue on your end

This is blocking our ability to move to DMARC enforcement, so timely resolution is appreciated.

Thanks, [Your name] [Account/customer ID if you have one]

---

Template 2: When They Say Everything Looks Fine

Subject: RE: DKIM authentication failing - additional evidence

---

Thanks for checking. I understand it shows as enabled on your end, but the authentication is still failing at the recipient level.

Here’s specific evidence from our DMARC reports:

Report from Google (received [date]):

• Your IP [x.x.x.x] sent [X] emails
• DKIM result: fail
• Selector: [selector]

DNS verification: When I query [selector]._domainkey.yourdomain.com, I get: [paste the actual record you see]

Possible causes I’ve ruled out:

• DNS propagation (record has been live for [X] days)
• Typos in the record (copied exactly from your dashboard)

Could this be:

1. A key rotation issue where the signing key doesn’t match the published key?
2. A setting that enables DKIM in your system but isn’t actually signing our emails?
3. An issue with our specific account configuration?

I’d appreciate escalation to your technical team if front-line support can’t resolve this.

Thanks, [Your name]

---

Template 3: Requesting Escalation

Subject: RE: DKIM authentication failing - escalation request

---

I’ve been troubleshooting this for [X days/weeks] without resolution. The issue persists:

• DKIM is showing as enabled in your dashboard
• DNS records match your documentation
• DMARC reports continue showing DKIM failures from your IPs

This is now a business-critical issue because:

• Our DMARC policy can’t move to enforcement
• Email deliverability is being impacted
• We’re failing compliance requirements

I need to escalate this to your technical or engineering team. Please either:

1. Escalate this ticket to technical support
2. Provide a direct contact for authentication issues
3. Schedule a call with someone who can investigate server-side

Our account: [account ID] Our domain: [yourdomain.com] Selector: [selector]

Thank you, [Your name]

---

Template 4: Sharing DMARC Evidence (With Apex)

If you’re using Verkh, you can share an Apex dashboard directly:

Subject: DKIM failures from your platform - evidence dashboard

---

Hi,

We’re experiencing DKIM authentication failures for email sent through your platform.

I’ve created a dashboard showing the specific failures: [Apex dashboard link]

This shows:

• Which IPs are sending
• The DKIM failure details
• The volume affected

Our DNS is configured per your documentation. The issue appears to be on the signing side.

Can your technical team review and advise?

Thanks, [Your name]

---

Tips for Faster Resolution

Use Their Terminology

ESPs call authentication features different things:

ESP	What They Call It
Mailchimp	”Email domain authentication”
SendGrid	”Domain authentication” or “Sender authentication”
HubSpot	”Email sending domain”
Salesforce	”Email authentication”

Use their terms in tickets—it helps route to the right team.

Provide Specific IPs

When you can point to exact IPs from your DMARC reports, support can look up those servers in their system. Generic “DKIM isn’t working” is harder to investigate than “IP 198.51.100.25 is failing DKIM.”

Ask for Key Verification

A specific question support can answer: “Can you verify that the public key in our DNS matches the private key your servers are using to sign?”

Mention Business Impact

Support teams prioritize differently when they know:

• “This is blocking a product launch”
• “We’re failing security audits”
• “Customer emails are going to spam”

Be honest, but make the impact clear.

Request Written Confirmation

When they say it’s fixed, ask: “Can you confirm in writing that DKIM signing is enabled and the key matches what’s in our DNS?”

This protects you if the issue recurs.

When the ESP Can’t Help

Sometimes the provider genuinely can’t support your use case:

Signs they can’t help:

• They don’t offer custom DKIM (only sign with their domain)
• Documentation doesn’t exist
• Support has never heard of DMARC alignment

Your options:

1. Route email differently: Send through an ESP that does support authentication, and use the problematic service only for less critical email.

2. Accept the failure: For low-volume or non-critical email, you might accept some DMARC failures. Not ideal, but sometimes practical.

3. Switch providers: If authentication is critical and they can’t support it, find a provider that can.

4. Push harder: For larger accounts, ask your account manager or sales contact. Revenue-generating customers get more attention than generic support tickets.

Documenting for Later

Keep records of:

• What DNS records you added and when
• Screenshots of provider dashboard showing “enabled”
• Copies of DMARC reports showing failures
• Support ticket numbers and correspondence

If you need to escalate further (to management, legal, or while switching providers), documentation matters.

For more on coordinating with vendors, see our Complete Guide to Vendor Coordination for DMARC.

---

Verkh’s Apex dashboards give you shareable evidence of authentication failures—exactly what vendor support needs to investigate. Generate your vendor report at verkh.io.