DKIM requires two components working together: a public key in DNS and a mail server that signs outgoing messages. Both must be configured correctly for DKIM to pass. This guide shows you how to verify both parts.
Step 1: Check Your DKIM DNS Record
First, verify your public key is published in DNS:
- Go to mxtoolbox.com/dkim.aspx
- Enter your domain name
- Enter your DKIM selector (e.g., "google" or "selector1")
- Click "DKIM Lookup"
The tool queries selector._domainkey.yourdomain.com and displays your public key record. If no record is found, your DNS configuration is incomplete.
Finding Your Selector
Common DKIM selectors by provider:
- Google Workspace: google
- Microsoft 365: selector1, selector2
- Amazon SES: Varies by region and date
If you do not know your selector, check your email provider's documentation or examine the DKIM-Signature header in a previously sent email.
Step 2: Test with Real Email
DNS lookup confirms your key is published, but you also need to verify your mail server is signing messages:
- Send a test email from your domain to a Gmail account
- Open the email in Gmail
- Click the three dots menu, then "Show original"
- Look for the Authentication-Results header
- Find
dkim=pass
You should see something like:
Authentication-Results: mx.google.com;
dkim=pass header.d=example.com header.s=googleUnderstanding DKIM Results
dkim=pass
The signature is valid. The public key was found and the signature verified successfully.
dkim=fail
The signature is invalid. Possible causes:
- Message was modified after signing
- Wrong public key in DNS
- Key mismatch between signing and DNS
dkim=neutral or dkim=none
No DKIM signature was found on the message. Your mail server is not signing emails.
dkim=temperror
Temporary DNS lookup failure. The receiving server could not retrieve your public key.
dkim=permerror
Permanent error retrieving the public key. Check your DNS record for syntax errors.
Checking the DKIM-Signature Header
Every DKIM-signed email includes a DKIM-Signature header with these fields:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=google;
h=from:to:subject:date;
bh=...;
b=...- d= Signing domain (should match your From domain)
- s= Selector (used to look up the public key)
- h= List of signed headers
- bh= Body hash
- b= The signature itself
Common DKIM Problems
Public Key Not Found
The DNS record does not exist or has the wrong selector. Verify the selector in your DKIM-Signature matches the DNS record location.
Body Hash Mismatch
The message body was modified after signing. This often happens with mailing lists, email gateways, or antivirus scanners that add footers or modify content.
Key Retrieval Failure
DNS timeout or unreachable DNS server. Check that your DNS is responding correctly and the record is properly formatted.
Signature Missing
Your mail server is not signing outgoing messages. Check your email service configuration to ensure DKIM signing is enabled.
Test All Sending Sources
If you use multiple systems to send email (marketing platform, transactional service, etc.), test DKIM from each one. Each sending source needs its own DKIM configuration.
Using Command Line
Query your DKIM record directly with dig:
dig TXT selector._domainkey.example.com +shortReplace "selector" with your actual selector and "example.com" with your domain.