Learn

How to Fix DKIM

DKIM (DomainKeys Identified Mail) lets receiving mail servers verify that an email was actually sent by the owner of the domain and hasn't been tampered with in transit. If your DKIM check failed, here's how to fix it.

What is DKIM?

DKIM adds a digital signature to the headers of your outgoing emails. The receiving server looks up a public key in your DNS records and uses it to verify the signature. If it matches, the email passes DKIM — proving it came from you and wasn't altered.

Why DKIM Matters

  • Gmail, Outlook, and Yahoo require DKIM for bulk senders.
  • Failing DKIM significantly increases your spam score.
  • DKIM is required for DMARC to work with "alignment".
  • Without DKIM, anyone can forge emails from your domain.

Step-by-Step Fix

1. Generate a DKIM Key Pair

Most email providers (Google Workspace, Microsoft 365, Resend, SendGrid, Mailgun, etc.) will generate a DKIM key pair for you. Go to your email provider's admin panel and look for "Authentication" or "DKIM Settings".

2. Add the DNS Record

Your provider will give you a TXT or CNAME record to add to your domain's DNS. It typically looks like:

# Example TXT record

Host: selector1._domainkey.yourdomain.com

Type: TXT

Value: v=DKIM1; k=rsa; p=MIGfMA0GCS...

3. Wait for DNS Propagation

DNS changes can take 15 minutes to 48 hours to propagate globally. Most providers update within 1-2 hours.

4. Verify with CheckEmailDelivery.com

Once your DNS is propagated, run a new test on CheckEmailDelivery.com to confirm your DKIM check passes.

Provider-Specific Guides

  • Google Workspace: Admin → Apps → Gmail → Authenticate email → Generate new record.
  • Microsoft 365: Defender → Email & Collaboration → Policies → Threat Policies → DKIM.
  • Resend / SendGrid / Mailgun: Dashboard → Domains → DNS records. They usually provide CNAME records to add.

Troubleshooting

  • Still failing after adding DNS? Double-check the selector name matches exactly what your provider gave you.
  • Multiple DKIM records? You can have more than one DKIM record (with different selectors). This is fine and common.
  • Using a forwarding service? Email forwarding can break DKIM signatures. Consider setting up an alias or routing rule instead.
Test Your DKIM Now