DomainSecurityScanner
High SeverityDKIM

Fix: DKIM DNS Record Not Found

The DKIM public key record was not found in DNS for the selector used by your email provider. Receiving servers cannot verify DKIM signatures without the public key.

Quick Fix

Publish your DKIM public key as a TXT or CNAME record at `selector._domainkey.yourdomain.com`.

What This Error Means

When a receiving server gets an email with a DKIM signature, it looks up the public key at selector._domainkey.yourdomain.com. If no record is found, DKIM verification fails with a "no key" result.

Why It Matters

Without the DKIM public key in DNS, all DKIM-signed emails from your domain will fail verification. DKIM cannot contribute to DMARC alignment, weakening your overall email authentication.

Step-by-Step Fix

1

Find your DKIM selector

Check your email provider's admin panel for the DKIM selector name.

Example
# Common DKIM selector lookups:
dig +short TXT google._domainkey.yourdomain.com
dig +short TXT selector1._domainkey.yourdomain.com
dig +short TXT s1._domainkey.yourdomain.com
dig +short TXT k1._domainkey.yourdomain.com
2

Get the public key from your provider

Your email provider will give you the DKIM public key or a CNAME target. Find this in the provider's DKIM settings.

3

Add the DNS record

Create a TXT or CNAME record as specified by your provider.

Example
# TXT record example:
Type: TXT
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

# CNAME record example (Microsoft 365):
Type: CNAME
Host: selector1._domainkey
Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
4

Verify the record

Check that the DKIM record resolves correctly.

Example
dig +short TXT google._domainkey.yourdomain.com
# Should return: "v=DKIM1; k=rsa; p=MIIBIjANBgk..."

Common Gotchas

  • The selector name is case-sensitive in DNS. Make sure it matches exactly what your email provider specifies.
  • Some providers use CNAME records instead of TXT records for DKIM. Follow the provider's specific instructions.
  • If you recently changed DNS providers, the DKIM records may not have been migrated.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

How do I find my DKIM selector?

Check your email provider's admin panel. You can also find it in the DKIM-Signature header of a sent email — look for the s= tag (e.g., s=google means the selector is "google").

Should I use a TXT or CNAME record for DKIM?

It depends on your provider. Google Workspace uses TXT records, Microsoft 365 uses CNAME records. Follow your provider's setup guide.

Can I have multiple DKIM records?

Yes. Unlike SPF, you can have multiple DKIM records because each uses a different selector. This allows different email services to each have their own DKIM key.

Related Issues

No DKIM SignatureDKIM Syntax ErrorDKIM Key Too ShortAll Fix Guides →