Suped detects the following DKIM-related issues on your domains and sources.
Missing DKIM record
Issue code: dkimMissing
What it means: No DKIM public key record was found for this source's selector. Emails from this source aren't being DKIM-signed.
Why it matters: Without DKIM, there's no cryptographic proof that the email came from your domain and wasn't tampered with in transit. If SPF also fails or isn't aligned, DMARC will fail.
How to fix it: Configure DKIM signing in your email provider's settings. Most providers will give you a CNAME or TXT record to add to your DNS. The specific steps depend on your provider and are shown in the issue details.
Invalid DKIM record
Issue code: dkimInvalid
What it means: The DKIM public key record exists but is malformed and can't be parsed.
Why it matters: A malformed public key record means receivers can't verify DKIM signatures, so DKIM will fail for all emails from this source.
How to fix it: Regenerate the DKIM key pair in your email provider's settings and update the DNS record with the new public key.
Multiple DKIM records
Issue code: dkimMultiple
What it means: More than one DKIM record was found at the same selector.
Why it matters: Receivers may not know which record to use for verification, which can cause DKIM failures.
How to fix it: Remove the duplicate records and keep only one valid DKIM public key at the selector.
No aligned DKIM signature
Issue code: dkimNoAlignedSignature
What it means: The email has a DKIM signature, but the signing domain (the d= tag in the signature) doesn't match the From header domain.
Why it matters: DMARC requires the DKIM signing domain to align with the From domain. Even though DKIM passes technically, the lack of alignment means it can't satisfy DMARC.
How to fix it: Configure your email provider to sign emails with your domain rather than theirs. Most providers support custom DKIM signing domains - look for a "DKIM authentication" or "email authentication" setting in your provider's admin panel.
Signature hash mismatch
Issue code: dkimSignatureHashMismatch
What it means: The DKIM signature fails verification despite a valid public key record. The hash of the email body doesn't match the hash in the signature.
Why it matters: This means the email content was modified after it was signed. DKIM will fail for affected messages.
How to fix it: This usually happens when an intermediary - such as a mailing list, email gateway, or forwarding service - modifies the email body or headers after signing. Check if any system between the sender and the receiver is altering your emails.
Weak hash algorithm
Issue code: dkimWeakHashAlgorithm
What it means: Your DKIM configuration is using SHA-1 (rsa-sha1) instead of SHA-256 (rsa-sha256).
Why it matters: SHA-1 is deprecated and considered cryptographically weak. Some receivers may reject DKIM signatures that use SHA-1, and this will become more common over time.
How to fix it: Update your DKIM configuration to use rsa-sha256. This typically requires regenerating your DKIM keys in your email provider's settings.
Testing mode enabled
Issue code: dkimTestingMode
What it means: Your DKIM record includes the t=y flag, which indicates the domain is testing DKIM.
Why it matters: When the testing flag is set, receivers may not enforce DKIM failures. This means you're not getting the full security benefit of DKIM.
How to fix it: Once you've confirmed that DKIM signing is working correctly and signatures are passing, remove the t=y flag from your DKIM DNS record.
Bad encryption algorithm
Issue code: dkimBadEncryptionAlgorithm
What it means: The DKIM key uses a non-standard or unsupported encryption algorithm.
Why it matters: Receivers may not be able to verify signatures made with non-standard algorithms, causing DKIM to fail.
How to fix it: Use RSA with a 2048-bit key, which is the industry standard. Regenerate your DKIM keys through your email provider if needed.
