DKIM Setup Problems: Why Your DKIM Is Probably Broken
DKIM is one of the most commonly misconfigured email authentication methods. Even if you think you've set it up, there's a good chance it's not working.
What Is DKIM?
DKIM stands for DomainKeys Identified Mail. It adds a digital signature to every email you send, proving the email wasn't changed after it was sent.
Think of DKIM like a wax seal on a letter. In the old days, important letters had a wax seal that would break if someone opened the letter. DKIM does the same thing digitally - if someone tampers with your email, the signature breaks.
Why DKIM Often Breaks
The main reason DKIM fails is that it requires two separate steps:
Enable DKIM in your email service
This tells the service to sign your emails
Add the DKIM DNS record to your domain
This publishes the public key so receivers can verify signatures
Many people do step 1 but forget step 2. Or they do step 2 but make a typo in the DNS record. Either way, DKIM fails silently - you won't know it's broken until your emails start going to spam.
Multiple Services Need Multiple DKIM Records
Unlike SPF where you have one record listing all services, DKIM requires a separate record for each service.
If you use Google Workspace for regular email and Mailchimp for newsletters, you need:
- A DKIM record for Google Workspace (usually at
google._domainkey.yourdomain.com) - A DKIM record for Mailchimp (usually at
k1._domainkey.yourdomain.com)
Each service uses a different "selector" - a unique identifier that tells email providers which DKIM key to use for verification.
Common DKIM Selectors
Different email services use different DKIM selectors. Here are the most common ones:
| Service | Common Selectors |
|---|---|
| Google Workspace | google |
| Microsoft 365 | selector1, selector2 |
| Mailchimp | k1, k2, k3 |
| SendGrid | s1, s2 |
| Klaviyo | default |
Common DKIM Problems
1. DKIM Not Enabled in Email Service
You added the DNS record, but forgot to enable DKIM signing in your email service settings. The DNS record exists, but emails aren't being signed.
2. DNS Record Not Added
You enabled DKIM in your email service, but never added the DNS record. Emails are being signed, but receivers can't verify the signature.
3. Typo in DNS Record
DKIM records are long and complex. A single typo makes the entire record invalid. This is especially common when copying and pasting.
4. DNS Propagation Delay
After adding a DKIM record, it can take 24-72 hours for DNS changes to propagate worldwide. During this time, DKIM verification may fail intermittently.
5. Missing DKIM for Secondary Services
You set up DKIM for your main email (Google Workspace) but forgot about Mailchimp. Now your newsletters are going to spam.
How to Check If Your DKIM Is Working
The easiest way to check your DKIM is to use an email deliverability checker that scans for common DKIM selectors. This will tell you:
- Which DKIM records exist for your domain
- Which selectors are configured
- If there are any problems with your DKIM setup
Check Your DKIM Setup
Find out if your DKIM is properly configured. Free scan in 10 seconds.