Skip to main content

Fix Guides

How to Fix Missing DKIM

Publish the DNS key that proves your email is genuine and unaltered.

Quick fix

To fix missing DKIM, enable DKIM signing in your email provider, copy the public key and selector they give you, and publish a DNS TXT record at selector._domainkey.yourdomain.com. Send a test message and confirm dkim=pass in the headers, then re-scan.

DKIM adds a cryptographic signature to outgoing mail. Receiving servers verify it against a public key in your DNS. Without DKIM, messages may fail authentication checks, hurt deliverability, and prevent DMARC from passing on the DKIM path.

Check your website

See how your site handles how to fix missing dkim — free, no account needed.

Business impact

DKIM is what lets Gmail, Outlook and other providers trust that your email really came from you and was not tampered with. For any business sending transactional or marketing email, missing DKIM means more spam-folder placement and weaker protection against forged messages in your name.

Why this happens

DKIM appears "missing" when no valid TXT record exists at selector._domainkey.domain for your sending selector(s), or when signing is enabled at the provider but the DNS key was never published. Each mail service uses its own selector (e.g. google, selector1, k1). You need a record for every service that signs mail for your domain.

How to confirm the issue

Manually: send yourself an email from your domain and inspect the raw headers for DKIM-Signature. Note the s= selector, then look up selector._domainkey.yourdomain.com TXT — it should contain v=DKIM1 and a p= public key.

With Plexa Trust: a full scan checks your DNS email authentication posture. After publishing DKIM keys, re-scan to confirm your domain's authentication stack is complete.

Step-by-step fix

  1. Identify every service that sends email as your domain (workspace, marketing, CRM, support desk).

  2. In each provider's admin panel, enable DKIM signing and generate keys if not already done.

  3. Copy the selector name and the full TXT record value the provider supplies.

  4. Add a TXT record in DNS: Name = selector._domainkey, Value = the DKIM string.

  5. Repeat for each provider/selector that sends on your behalf.

  6. Send test emails and verify dkim=pass; ensure the From domain aligns for DMARC.

Platform-specific fixes

Google Workspace

  1. Admin console → Apps → Google Workspace → Gmail → Authenticate email.

  2. Click Generate new record, copy the DNS TXT name (google._domainkey) and value.

  3. Add the TXT record at your DNS host, then click Start authentication in Admin.

Microsoft 365

  1. Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → DKIM.

  2. Select your domain and enable DKIM — two CNAME records are created automatically if DNS is hosted with Microsoft.

  3. If DNS is external, add the CNAME records Microsoft provides, then enable signing.

SendGrid

  1. Settings → Sender Authentication → Authenticate Your Domain.

  2. Follow the wizard — SendGrid gives you CNAME records (often easier than raw TXT) for DKIM.

  3. Verify in SendGrid once DNS propagates.

Mailchimp / marketing platforms

  1. Account → Domains → Authenticate domain — the platform provides DKIM (and often SPF) DNS entries.

  2. Add all records exactly as shown; do not truncate long keys.

  3. Use the platform's verify button before sending campaigns.

Cloudflare / external DNS

  1. Add TXT (or CNAME if the provider specifies) at the exact hostname given — e.g. selector1._domainkey.

  2. Long DKIM keys may need to be split into multiple quoted strings in some DNS panels — follow your provider's format.

  3. Set proxy to DNS only for DKIM hostnames.

How to verify the fix

  • Use 2048-bit RSA keys where your provider supports them.

  • Publish DKIM for every sender, not just your primary mailbox provider.

  • Confirm DKIM alignment with your From domain so DMARC can pass.

  • Rotate keys when your provider recommends it, updating DNS before retiring old selectors.

Common mistakes

  • Enabling DKIM at the provider but never publishing the DNS record.

  • Truncating a long public key in DNS (breaks verification).

  • Using the wrong selector hostname (must match the s= tag in sent mail).

  • Forgetting DKIM for a secondary sender (e.g. only Google, not Mailchimp).

Frequently asked questions

What is a DKIM selector?

A label identifying which public key to use. It appears in the DKIM-Signature header as s= and in DNS as selector._domainkey.yourdomain.com.

Is SPF or DKIM more important?

Both matter. SPF authorises sending servers; DKIM proves message integrity and survives forwarding better. Use both, then enforce with DMARC.

Why does my DKIM fail after setup?

Common causes: DNS not propagated, truncated key, wrong selector hostname, or signing not enabled at the provider yet.

Can I have multiple DKIM records?

Yes — one per selector. Each sending service typically uses its own selector at a different _domainkey hostname.

Does DKIM encrypt my email?

No. DKIM signs headers/body for authenticity; it does not encrypt content. Use TLS in transit for encryption.

What is DKIM alignment?

The domain in the DKIM d= tag must match (or align with) the visible From domain for DMARC to pass on the DKIM path.

How long do DKIM DNS changes take?

Same as any DNS — often under an hour, up to 48 hours depending on TTL and caching.

How do I verify DKIM is working?

Send a test email, view raw headers for Authentication-Results: dkim=pass, or use a mail-tester service.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring