ServerRecords

Help & Troubleshooting

DKIM

What this is

DKIM signs outgoing mail with a private key; receivers fetch the public key from selector._domainkey.yourdomain.com to verify the message was authorized and unmodified. Each provider uses its own selector name.

How to read your result

A healthy record contains p= followed by a long base64 key. An empty p= means the key was revoked. Not finding a record often just means you queried the wrong selector — check your provider's documentation for the exact selector name.

Common problems and how to fix them

DKIM record missing for the selector the provider signs with

How it shows up: Receivers show dkim=fail or dkim=none; DMARC reports list failing sources that are actually your own provider.

How to fix it: Copy the exact record (selector and value) from your email provider's admin console into DNS. For Microsoft 365 and some others, you must also click "enable DKIM" in the console after publishing the CNAMEs.

Record truncated or reformatted by the DNS provider

How it shows up: DKIM verification fails even though the record "exists"; the key in DNS differs subtly from the one issued.

How to fix it: Re-paste the value; for keys over 255 characters ensure the provider splits them into multiple quoted strings correctly. Verify with a look up and compare the full p= value character-for-character.

Key never rotated

How it shows up: The same DKIM key has signed mail for years; a compromise of that key would let attackers sign as you indefinitely.

How to fix it: Rotate keys periodically (providers with paired selectors like selector1/selector2 automate this). Publish the new key, switch signing, then revoke the old one with an empty p= after a transition period.

Run a look up for this record