DKIM Setup Guide: Selectors, DNS Records, and Common Failures

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every outbound message. Receiving servers verify that signature against a public key published in your DNS. Without DKIM—or with a broken key—authentication stacks fail and inbox placement suffers.

Where DKIM lives in DNS

DKIM is a TXT record at:

{selector}._domainkey.{yourdomain.com}

Example for Google Workspace:

google._domainkey.example.com

The record contains a public key, typically starting with v=DKIM1 and a p= value.

Finding your DKIM selector

Every ESP uses its own selector name:

If you do not know the selector, FeedPipeline’s email checker tries common selectors automatically—or enter yours in the optional field on the DNS checker.

What a valid DKIM record looks like

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Key parts:

• v=DKIM1 — version
• k=rsa — key type (most common)
• p= — base64 public key (must be present and non-empty)

A record with p= removed or truncated will fail verification.

Common DKIM failures

Key rotation without DNS update

When your ESP rotates signing keys, you must publish the new TXT record before removing the old one. Overlap both keys during transition.

Signing domain misalignment

DKIM can pass while still failing alignment for DMARC if the signing domain (d= in the signature) does not match your From domain. Check alignment requirements in your ESP settings.

Multiple selectors, one missing

Large setups often use several selectors (marketing vs transactional). Audit all active sending streams—not just your primary mailbox.

DKIM + SPF + DMARC together

DKIM alone does not replace SPF. Run all three checks before scaling cold outreach.

Verify DKIM in seconds

Use the free domain checker to scan apex TXT, probe DKIM selectors, and review SPF/DMARC in one pass—no account required.