# DKIM



> DKIM adds a signature to each email so inboxes can confirm that an approved domain accepted responsibility for the message.



- Human page: https://mailrith.com/guides/dkim

- Markdown page: https://mailrith.com/guides/dkim.md

- Category: Authentication and Deliverability

- Reading time: 9 min read

- Related keywords: DKIM, DKIM guide, Authentication and Deliverability, Authentication and Deliverability guide, email sending guide, email marketing guide, email deliverability guide, DMARC Alignment, DNS PTR and Reverse DNS, Google Email Sender Guidelines



## AI Agent Notes

- Use this page as plain-language guidance for the specific email sending issue named in the title.

- Preserve the distinction between Mailrith, an email delivery service, DNS, and inbox providers when explaining fixes.

- When a user is running a Mailrith free tool, pair that specific free-tool result with the relevant issue or step section from this guide.



### DKIM

DKIM adds a signature to each email so inboxes can confirm that an approved domain accepted responsibility for the message.

DKIM stands for DomainKeys Identified Mail. DKIM adds a digital signature to each email. Your email delivery service signs the outgoing message, and receiving inboxes use a public DNS record to verify the signature.

Your email delivery service stores the private signing key. You publish the public key in DNS. When an inbox receives the email, the inbox requests the public key from DNS and uses that key to check whether the signature is valid.

A DKIM signature has two fields that matter for Mailrith users. The selector tells the inbox which DNS record to look up. The signing domain, shown as `d=example.com`, tells the inbox which domain accepted responsibility for signing the message.

For [DMARC Alignment](https://mailrith.com/guides/dmarc-alignment.md), the DKIM `d=` domain must match the visible From domain, or it must be a subdomain of the same organizational domain in relaxed mode. If subscribers see `newsletter@example.com` and DKIM signs with `d=example.com`, DKIM aligns. If DKIM signs with `d=mail.example.com`, DKIM usually aligns in relaxed mode. If DKIM signs only with `d=provider.com`, DKIM does not align with `example.com`.

DKIM is often the most reliable way to make DMARC pass because DKIM can keep working after forwarding better than SPF. If a subscriber's company forwards the email internally, SPF may fail at the final inbox. DKIM can still pass if the forwarded message was not changed in a way that breaks the signature.

DKIM is not a content quality signal by itself. DKIM does not prove that subscribers wanted the email. DKIM only proves that the signed parts of the message match a domain's DKIM key. You still need permission, good list quality, and a low complaint rate.

1. Open the domain authentication page in your email delivery service.
2. Choose the same domain or subdomain that you plan to use in Mailrith as the visible From domain.
3. Add the DKIM DNS records that your email delivery service provides. These records are often CNAME records or TXT records with names like `selector._domainkey.example.com`.
4. Wait until your email delivery service shows that DKIM is verified.
5. Check the DKIM signing domain in your email delivery service. Confirm that the service signs with your domain, not only with its own shared service domain.
6. Send a test email through Mailrith using that connection.
7. Open the original headers for the test message and find the DKIM result.
8. Confirm that DKIM passes, then check the `d=` domain near the DKIM result.
9. Compare the `d=` domain with the visible From domain. If the domains do not align, read [DMARC Alignment](https://mailrith.com/guides/dmarc-alignment.md) and adjust domain authentication in your email delivery service.
10. Repeat the test after you change DNS records, email delivery service settings, or the sender domain.

- Publish the DKIM DNS records exactly as your email delivery service provides them.
- The DKIM selector is the record name. The DKIM `d=` value is the signing domain.
- When possible, use the same DKIM signing domain as the sender identity, or use an aligned subdomain.
- Use strong keys when your email delivery service offers a key strength choice.
- Rotate DKIM keys when your email delivery service recommends rotation or when a key may have been exposed.
- After setup, send a test message and inspect the authentication results.
- If DKIM passes but DMARC fails, the usual cause is a DKIM `d=` domain that does not align with the From domain.
- Prefer aligned DKIM for marketing email because SPF can fail after forwarding.
- If your email delivery service offers multiple DKIM selectors, keep the active records in DNS until the service confirms that the old selector is no longer used.

## Fix Common Issues
### Invalid DKIM Domain

A DKIM checker says the DKIM domain is not valid. DKIM records are looked up under a real domain, so the DKIM lookup cannot check URLs, email addresses, or empty values.

1. Enter only your domain from the From address, or copy it from the domain authentication screen in your email delivery service. For example, enter `example.com`.
2. Do not enter the full DKIM host name in the domain field. If your email delivery service shows `selector1._domainkey.example.com`, enter `example.com` as the domain and `selector1` as the selector.
3. Before you run the check, remove `https://`, paths, spaces, and mailbox names.
4. If you do not know the selector, leave the selector field empty to run a common-selector scan. Then open your email delivery service and confirm the exact selector.
5. After the DKIM DNS check passes, send a real test email and confirm that the DKIM `d=` domain aligns with the visible From domain.

### DKIM Selector Needed

A DKIM checker says it cannot find DKIM because no selector was entered or because a common-selector scan did not find a record. This means the DKIM lookup does not know the exact DNS name that your email delivery service uses.

1. Open your email delivery service settings for your domain. For example, use Zoho Mail Admin Console for Zoho, Amazon SES Verified Identities for SES, Google Admin for Google Workspace, or Microsoft 365 DKIM settings for Microsoft.
2. Find the DKIM, domain authentication, sender authentication, or verified identity screen for the exact sender domain.
3. Copy the selector or full host name shown by your email delivery service. The selector is the part before `._domainkey`. For `zoho._domainkey.example.com`, the selector is `zoho`.
4. Return to the DKIM checker, enter your domain and that selector, and run the check again.
5. If your email delivery service shows multiple selectors or CNAME records, check each selector or publish every CNAME exactly as shown.

### Missing DKIM Record

A DKIM checker looked up `selector._domainkey.example.com` and found no DKIM TXT record or connected-service CNAME.

1. Confirm that the selector is correct. A missing record often happens when you check `default` or `selector1` but your email delivery service uses a different selector.
2. Copy the DNS host name, record type, and value from your email delivery service. Do not change punctuation, quotes, or underscores.
3. Add the record in the DNS provider that hosts your domain's authoritative DNS. Do not add the record in an email service dashboard unless that same service also manages DNS.
4. If your email delivery service provides CNAME records, publish CNAME records. If the service provides TXT records, publish TXT records. Do not convert one record type into the other.
5. Wait for DNS propagation, then check the exact selector again.
6. After the DNS check passes, send a real test email and confirm that the message headers show DKIM pass with a `d=` domain that aligns with the From domain.

### Empty DKIM Key

The DKIM record exists but the `p=` value is empty. That usually means the key has been revoked and should not be used for live signing.

1. Open the DKIM settings for your domain in your email delivery service.
2. Generate, rotate, or re-enable a DKIM key.
3. Replace the empty DNS record with the new value from your email delivery service.
4. Wait until your email delivery service verifies the new record before you send campaigns.

### Short DKIM Key

The DKIM public key appears short. Older 1024-bit keys can still work, but many email delivery services now recommend stronger keys when they are available.

1. Check your email delivery service's DKIM settings for a key length option or key rotation option.
2. Use the stronger key option if your email delivery service offers one.
3. Publish the new record, and keep the old record active until your email delivery service confirms that the new key is verified.
4. After the rotation, send a test email and confirm that DKIM passes.

### DKIM Test Mode

The record includes `t=y`, which signals testing. It does not always break mail, but it means the domain owner has not fully moved the key into normal use.

1. Confirm that your email delivery service has verified the DKIM record.
2. Send a test email and confirm that DKIM passes.
3. If your email delivery service allows manual record editing, remove `t=y` from the DNS record. If the service does not allow manual editing, follow that service's instructions to leave test mode.
4. After DNS propagation, recheck the record.

> For most Mailrith senders, the safest path is to make DKIM align first. SPF alignment is useful, but aligned DKIM is usually easier to keep working across forwarding and mailing-list paths.

Related resources:
- [DMARC Alignment](https://mailrith.com/guides/dmarc-alignment.md): Learn how the DKIM `d=` domain must match the visible From domain.
- [DNS, PTR, and Reverse DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): Understand the DNS records that DKIM uses.
- [Google Email Sender Guidelines](https://support.google.com/a/answer/81126): Google recommends DKIM for all sending domains and requires DKIM for bulk sending.



## Related Guides

- [Sender Domains and Email Authentication](https://mailrith.com/guides/sender-domains-and-authentication.md): Your sender domain is what inbox providers learn to trust. Authentication proves that your email delivery service is allowed to send email for your domain.

- [From, Reply-To, and Return-Path](https://mailrith.com/guides/from-reply-to-and-return-path.md): An email can include several sender-related addresses. Each address has a separate role for delivery, authentication, or replies.

- [DNS, PTR, and Reverse DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): DNS records identify your domain. Reverse DNS helps inbox providers check that a sending IP address has a valid hostname.
