Failing Email Authentication? Here’s
How To Run A DKIM Record Check

Failures in email authentication can significantly undermine your domain's credibility and the success of your email delivery. Whether you oversee a corporate domain or operate a transactional email service, unsuccessful DKIM (DomainKeys Identified Mail) validation can activate spam filters, diminish the likelihood of landing in recipients' inboxes, and erode trust among your audience.

If you are encountering issues with DKIM authentication for your emails, it is imperative to promptly diagnose and rectify the problem. In this comprehensive guide, we will provide step-by-step instructions on how to conduct a DKIM record check, interpret the findings, and address common errors that may compromise the security and delivery of your emails.

What Is DKIM and Why Does It Matter?

DKIM incorporates a cryptographic signature into the emails you send. This digital signature serves to:

Confirms the sender's identity

Verifies that the message has not been altered in transit

Supports DMARC (Domain-based Message Authentication, Reporting & Conformance) compliance

If your email lacks a valid DKIM signature, it risks not passing authentication tests, which could result in it being classified as spam, spoofed, or unauthenticated. This is particularly true for stringent email providers such as Gmail, Outlook, and Yahoo.

How to Locate Your DKIM Record

DKIM records are stored in the DNS (Domain Name System) of your domain as a TXT record. To locate this information, follow these steps:

DKIM Record Format:

selector._domainkey.yourdomain.com

Selector: A name you or your email service provider chose to differentiate keys

_domainkey: Required DKIM namespace

yourdomain.com: Your domain name

The complete DKIM TXT record includes your public key along with any optional parameters that may be specified. Head over to this page for more information.

Step-by-Step: How to Run a DKIM Record Check

Identify the DKIM Selector

To access or create the DKIM selector, please log into the administrative dashboard of services such as Google Workspace, Microsoft 365, Mailchimp, or SendGrid.

Common selectors: google, mail, smtp, default

Use a DKIM Lookup Tool

You can check the DKIM record using online tools such as:

DKIMCore

MXToolbox DKIM Lookup

Google Admin Toolbox Dig

Please provide the selector and domain, and the tool will retrieve the DKIM TXT record from your DNS.

Analyze the Results

If the record exists, the tool will display the public key and validation info:

Valid: Your DKIM key is found and correctly formatted

Warning: Key found, but not in ideal length or syntax

Error: No DKIM record found or improperly configured

Common DKIM Errors and Fixes

Missing DKIM Record

Cause: No DKIM TXT record in your DNS

Fix: Create a DKIM key using your email provider and add it to your DNS configuration.

Wrong Selector

Cause: Querying with an incorrect or outdated selector

Fix: Please consult your Email Service Provider (ESP) to verify the currently active selector.

Key Formatting Issues

Cause: Line breaks, spaces, or unsupported characters in the DNS record

Fix: Please make certain that the complete key is released as one continuous string, free of any additional characters.

Short or Weak Key Length

Cause: Using outdated 512-bit DKIM keys

Fix: Enhance security and ensure compatibility with contemporary filters by transitioning to 2048-bit keys.

Key Not Matching Signature

Cause: The email was authenticated using a private key that does not correspond to the public key published in the DNS records.

Fix: Ensure that your ESP is synchronized with the DNS records. If necessary, regenerate and republish the keys.

How to Validate a DKIM Signature on an Email

Even if your DNS record is correct, you should validate how emails are signed:

Send a Test Email: Please dispatch a test email to an accessible account, such as one associated with Gmail or Outlook.

Check Email Headers: In Gmail:

Open the email → Click More (⋮) → Show Original

Look under Authentication-Results for:

dkim=pass (test passed)

dkim=fail (test failed)