# DKIM > DKIM adds a signature to each email so inboxes can check that an approved domain took responsibility for the message. - Human page: https://mailrith.com/guides/dkim - Markdown page: https://mailrith.com/guides/dkim.md - Category: Authentication and Deliverability - Reading time: 9 min read - Related keywords: DKIM, DKIM guide, Authentication and Deliverability, Authentication and Deliverability guide, email sending guide, email marketing guide, email deliverability guide, DMARC Alignment, DNS PTR and Reverse DNS, Google Email Sender Guidelines ## AI Agent Notes - Use this page as plain-language guidance for the specific email sending issue named in the title. - Preserve the distinction between Mailrith, an email delivery service, DNS, and inbox providers when explaining fixes. - When a user is running a free tool, pair the tool result with the relevant issue or step section from this guide. ### DKIM DKIM adds a signature to each email so inboxes can check that an approved domain took responsibility for the message. DKIM stands for DomainKeys Identified Mail. It adds a digital signature to the email. Your email delivery service signs the outgoing message, and receiving inboxes use a public DNS record to check that signature. Your email delivery service keeps the private signing key. You publish the public key in DNS. When an inbox receives the email, it asks DNS for the public key and uses it to check whether the signature is valid. A DKIM signature has two details that matter for Mailrith users. The selector tells the inbox which DNS record to look up. The signing domain, shown as `d=example.com`, tells the inbox which domain took responsibility for signing the message. For [DMARC Alignment](https://mailrith.com/guides/dmarc-alignment.md), the DKIM `d=` domain must match the visible From domain, or be a subdomain of the same organizational domain in relaxed mode. If subscribers see `newsletter@example.com` and DKIM signs with `d=example.com`, DKIM aligns. If DKIM signs with `d=mail.example.com`, it usually aligns in relaxed mode. If DKIM signs only with `d=provider.com`, it does not align with `example.com`. DKIM is often the most reliable way to make DMARC pass because it can survive forwarding better than SPF. If a subscriber's company forwards the email internally, SPF may fail at the final inbox, but DKIM can still pass if the message was not changed in a way that breaks the signature. DKIM is not a content quality signal by itself. It does not mean subscribers wanted the email. It only proves that the signed parts of the message match a domain's DKIM key. You still need permission, good list quality, and a low complaint rate. 1. Open the domain authentication page in your email delivery service. 2. Choose the same domain or subdomain you plan to use in Mailrith as the visible From domain. 3. Add the DKIM DNS records your email delivery service gives you. These are often CNAME records or TXT records with names like `selector._domainkey.example.com`. 4. Wait until your email delivery service says DKIM is verified. 5. Check whether your email delivery service is signing with your domain, not only with its own shared service domain. 6. Send a test email through Mailrith using that connection. 7. Open the message's original headers and find the DKIM result. 8. Confirm DKIM passes and check the `d=` domain near the DKIM result. 9. Compare the `d=` domain with the visible From domain. If they do not align, read [DMARC Alignment](https://mailrith.com/guides/dmarc-alignment.md) and adjust your email delivery service's domain authentication. 10. Repeat the test after any DNS change, email delivery service setting change, or sender domain change. - Publish the DKIM DNS records exactly as your email delivery service gives them. - The DKIM selector is the record name. The DKIM `d=` value is the signing domain. - Use the same DKIM signing domain, or an aligned subdomain, as the sender identity when possible. - Use strong keys when your email delivery service gives you a choice. - Rotate DKIM keys when your email delivery service recommends it or when a key may be exposed. - Send a test message and inspect authentication results after setup. - If DKIM passes but DMARC fails, the usual cause is a DKIM `d=` domain that does not align with the From domain. - Prefer aligned DKIM for marketing email because SPF can fail after forwarding. - If your email delivery service offers multiple DKIM selectors, keep the active records in DNS until that service confirms the old selector is no longer used. ## Fix Common Issues ### Invalid DKIM Domain A checker says the DKIM domain is not valid. DKIM records are looked up under a real domain, so URLs, email addresses, and empty values cannot be checked. 1. Use only the domain from the From address or the domain authentication screen in your email delivery service, such as `example.com`. 2. Do not enter the full DKIM host name in the domain field. If your email delivery service shows `selector1._domainkey.example.com`, enter `example.com` as the domain and `selector1` as the selector. 3. Remove `https://`, paths, spaces, and mailbox names before running the check. 4. If you do not know the selector, leave the selector field empty for a common-selector scan, then confirm the exact selector inside your email delivery service. 5. After the DKIM DNS check passes, send a real test email and confirm the DKIM `d=` domain aligns with the visible From domain. ### DKIM Selector Needed A checker says it cannot find DKIM because no selector was entered, or because a common selector scan did not find a record. This means the checker does not know the exact DNS name used by your email delivery service. 1. Open your email delivery service for this domain. For example, use Zoho Mail Admin Console for Zoho, Amazon SES Verified Identities for SES, Google Admin for Google Workspace, or Microsoft 365 DKIM settings for Microsoft. 2. Find the DKIM, domain authentication, sender authentication, or verified identity screen for the exact sender domain. 3. Copy the selector or full host name shown by your email delivery service. The selector is the part before `._domainkey`. For `zoho._domainkey.example.com`, the selector is `zoho`. 4. Return to the DKIM checker, enter the domain and that selector, and check again. 5. If your email delivery service shows multiple selectors or CNAME records, check each selector or publish every CNAME exactly as shown. ### Missing DKIM Record A checker looked up `selector._domainkey.example.com` and found no DKIM TXT record or connected-service CNAME. 1. Confirm the selector is correct. A missing record is often caused by checking `default` or `selector1` when your email delivery service uses a different selector. 2. Copy the DNS host name, record type, and value from your email delivery service without changing punctuation, quotes, or underscores. 3. Add the record in the DNS provider that hosts the domain's authoritative DNS, not in an email service dashboard unless that same service also manages DNS. 4. If your email delivery service gives CNAME records, publish CNAME records. If it gives TXT records, publish TXT records. Do not convert one type into the other. 5. Wait for DNS propagation, then check the exact selector again. 6. After the DNS check passes, send a real test email and confirm the message headers show DKIM pass with a `d=` domain that aligns with the From domain. ### Empty DKIM Key The DKIM record exists but the `p=` value is empty. That usually means the key has been revoked and should not be used for live signing. 1. Open the DKIM settings for the domain in your email delivery service. 2. Generate, rotate, or re-enable a DKIM key. 3. Replace the empty DNS record with the new value from your email delivery service. 4. Wait for your email delivery service to verify the new record before sending campaigns. ### Short DKIM Key The DKIM public key appears short. Older 1024-bit keys can still work, but many email delivery services now recommend stronger keys when available. 1. Check your email delivery service's DKIM settings for a key length or key rotation option. 2. Use the stronger key option if your email delivery service offers it. 3. Publish the new record while keeping the old record active until your email delivery service confirms the new key is verified. 4. Send a test email after the rotation and confirm DKIM pass. ### DKIM Test Mode The record includes `t=y`, which signals testing. It does not always break mail, but it means the domain owner has not fully moved the key into normal use. 1. Confirm your email delivery service has verified the DKIM record. 2. Send a test email and confirm DKIM pass. 3. Remove `t=y` from the DNS record if your email delivery service allows manual record editing, or follow that service's instructions to leave test mode. 4. Recheck the record after DNS propagation. > For most Mailrith senders, the safest path is to make DKIM align first. SPF alignment is useful, but aligned DKIM is usually easier to keep working across forwarding and mailing-list paths. Related resources: - [DMARC Alignment](https://mailrith.com/guides/dmarc-alignment.md): Learn how the DKIM `d=` domain must match the visible From domain. - [DNS, PTR, and Reverse DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): Understand the DNS records used by DKIM. - [Google Email Sender Guidelines](https://support.google.com/a/answer/81126): Google recommends DKIM for all sending domains and requires it for bulk sending. ## Related Guides - [Sender Domains and Email Authentication](https://mailrith.com/guides/sender-domains-and-authentication.md): Your sender domain is the name inboxes learn to trust, and authentication proves that your email delivery service is allowed to send for it. - [From, Reply-To, and Return-Path](https://mailrith.com/guides/from-reply-to-and-return-path.md): An email has several sender-related addresses, and each one has a different job in delivery and replies. - [DNS, PTR, and Reverse DNS](https://mailrith.com/guides/dns-and-reverse-dns.md): DNS records identify your domain, while reverse DNS helps inboxes check whether a sending IP has a sensible hostname.