DomainSecurityScanner
High SeverityDKIM

Fix: DKIM Signature Not Found

Emails sent from your domain do not contain a DKIM-Signature header. The email content cannot be verified as unmodified and the sending domain cannot be cryptographically authenticated.

Quick Fix

Enable DKIM signing in your email provider and publish the public key in DNS.

What This Error Means

DKIM adds a cryptographic signature to outgoing emails. When no DKIM-Signature header is present, the receiving server cannot verify that the email was actually sent by an authorized server or that the content was not tampered with in transit.

Why It Matters

Without DKIM, you lose one of the two alignment mechanisms for DMARC. If SPF fails (common with email forwarding), there is no fallback and DMARC will fail. DKIM also improves sender reputation and deliverability.

Step-by-Step Fix

1

Generate DKIM keys in your email provider

Log into your email service provider's admin panel and enable DKIM. They will generate a key pair and provide you with the public key to publish in DNS.

2

Add the DKIM public key to DNS

Create a TXT or CNAME record at the selector._domainkey.yourdomain.com location provided by your email service.

Example
# For Google Workspace:
Type: TXT
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...(your public key)...

# For Microsoft 365:
Type: CNAME
Host: selector1._domainkey
Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
3

Enable DKIM signing

Some providers require you to explicitly enable DKIM signing after publishing the DNS record. Toggle it on in your admin panel.

4

Verify DKIM is working

Send a test email and check the headers for a DKIM-Signature header and a passing DKIM result.

Example
# In the email headers, look for:
# DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=google; ...
# Authentication-Results: ... dkim=pass header.d=yourdomain.com

Common Gotchas

  • DKIM must be enabled both in DNS (public key) and in your email provider (signing). Publishing the DNS record alone is not enough.
  • Each email provider requires its own DKIM setup. If you send through multiple services, each needs its own DKIM selector and key.
  • DKIM keys should be at least 2048 bits. Some older setups use 1024-bit keys, which are considered weak.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

How do I enable DKIM for Google Workspace?

In the Google Admin console, go to Apps > Google Workspace > Gmail > Authenticate email. Generate a new DKIM key (select 2048-bit), add the TXT record to your DNS, then click "Start Authentication".

Do I need a separate DKIM key for each email service?

Yes. Each email service that sends on behalf of your domain should have its own DKIM selector and key pair. They publish under different selectors, so they do not conflict.

What is a DKIM selector?

A selector is a name that identifies a specific DKIM key. The full DNS location is selector._domainkey.yourdomain.com. Different services use different selectors (e.g., "google" for Google Workspace, "s1" for SendGrid).

Related Issues

No DKIM RecordDKIM Key Too ShortAlignment FailureAll Fix Guides →