DKIM (DomainKeys Identified Mail) signs your outgoing emails so receiving servers can verify they haven't been tampered with. But how do you know it's actually working?
There are two ways to verify DKIM:
Your DKIM public key is published as a DNS TXT record at {selector}._domainkey.yourdomain.com. You can check it's published correctly using command line tools.
dig +short TXT selector._domainkey.example.com
A successful response shows your DKIM record:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
host -t TXT selector._domainkey.example.com
If your DKIM is set up using a CNAME (pointing to your email provider), first check the CNAME resolves:
dig +short CNAME selector._domainkey.example.com
Then verify it resolves to a TXT record:
dig +short TXT selector._domainkey.example.com
The dig command will automatically follow the CNAME and return the TXT record.
| Problem | Cause | Solution |
|---|---|---|
| No record returned | DNS not published or propagating | Wait for propagation (up to 48 hours) or check the record was added correctly |
NXDOMAIN |
Record doesn't exist | Verify the selector and domain are correct |
| Truncated key | 2048-bit key not split correctly | Split the key into multiple quoted strings under 255 characters each |
SERVFAIL |
DNS server error | Check your DNS provider's status |
| Intermittent failures | Split record strings returned out of order | See Verifying Split Records below |
2048-bit DKIM keys must be split into multiple quoted strings because DNS TXT records have a 255-character limit per string. When split correctly, the record looks like:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..." "...rest_of_key..."
However, some DNS providers return these strings in an unpredictable order, which can cause intermittent DKIM failures. The signature verifies sometimes but fails other times, depending on which order the strings are returned.
To check if your split record is being returned correctly:
dig +short TXT selector._domainkey.example.com
You should see a single concatenated key. If you see multiple separate strings, check they're in the correct order by looking for:
v=DKIM1 at the startp= followed by the key (starting with MII...)If you're experiencing intermittent DKIM failures with a split record, consider:
While 1024-bit keys don't need splitting, we strongly recommend sticking with 2048-bit keys. 1024-bit keys are no longer considered secure - they can potentially be cracked with modern computing power, and major email providers like Google and Microsoft recommend 2048-bit as the minimum. The DNS complexity is worth the security.
The best way to verify DKIM is working end-to-end is to send a test email and inspect the Authentication-Results header added by the receiving server.
Gmail:
Authentication-ResultsOutlook:
Apple Mail:
Command line (for raw email files):
grep -i "authentication-results" email.eml
A successful DKIM verification looks like this:
Authentication-Results: mx.google.com;
dkim=pass header.i=@example.com header.s=selector1 header.b=abc123;
spf=pass smtp.mailfrom=example.com;
dmarc=pass header.from=example.com
The key fields are:
| Field | Description |
|---|---|
dkim=pass |
The DKIM signature was verified successfully |
header.i=@example.com |
The signing identity (your domain) |
header.s=selector1 |
The DKIM selector used |
header.b=abc123 |
Truncated signature hash (for identification) |
| Result | Meaning |
|---|---|
dkim=pass |
Signature verified successfully |
dkim=fail |
Signature verification failed |
dkim=neutral |
No DKIM signature present |
dkim=temperror |
Temporary DNS error fetching the public key |
dkim=permerror |
Permanent error (malformed record or missing key) |
If you see dkim=fail in the Authentication-Results header:
dig +short TXT selector._domainkey.example.com
Verify it returns a valid DKIM record starting with v=DKIM1.
The selector in the email's DKIM-Signature header must match your DNS record. Check the email headers for:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...
The s= value is your selector.
DKIM signatures cover specific headers and the body. If anything is modified after signing, verification fails. Common causes:
If you recently added or changed your DKIM record, DNS propagation can take up to 48 hours. Most updates are visible within minutes, but some DNS resolvers cache aggressively.
Some older systems don't support 2048-bit keys. If you're having issues, check if your key is 1024-bit or 2048-bit:
dig +short TXT selector._domainkey.example.com | wc -c
A 2048-bit key produces a much longer output (around 400+ characters).
Several tools can help verify your DKIM setup:
CloudMailin's Deliverability Tester checks DKIM, SPF, and DMARC. Contact us if you'd like access.
Setting up and maintaining DKIM can be complex, especially with 2048-bit keys that need splitting for DNS.
CloudMailin automatically generates and manages DKIM keys for your sending domains. Just add a single CNAME record and we handle the rest - including key rotation and DNS hosting.