Summary
DKIM failures are multifaceted, stemming from DNS misconfigurations (multiple TXT records, incorrect syntax, propagation delays), content modifications in transit, incorrect DKIM key setup, or the DKIM key not being published in DNS. To set up DKIM for a subdomain, a separate key must be generated, its DNS record added (using the correct selector format), and outgoing emails signed with that key. Ensure keys meet minimum length requirements (1024 bits or greater). Selectors are underused but beneficial for key rotation and source identification. Tools like MXToolbox can aid in troubleshooting, and checking email headers confirms successful setup. Subdomain DKIM keys isolate reputation, and following RFC 6376 is important.
Key findings
- DNS Issues: Incorrect DNS configuration (multiple TXT records, syntax errors, propagation delays) are common DKIM failure causes.
- Subdomain Setup: DKIM for subdomains needs a separate key, proper DNS record (with selector), and signing of emails with the key.
- Selectors Are Key: DKIM selectors manage multiple keys, helping with rotation and source identification, often underused.
- Content Modification: Email content changes during transit break DKIM signatures.
- Key Strength: DKIM keys must meet a minimum length (1024 bits) for validation.
- Key Published to DNS: The key must be published to the DNS
Key considerations
- Check DNS: Verify DNS records and propagation before troubleshooting more complex issues.
- Tool Utilization: Leverage tools like MXToolbox to diagnose and correct DKIM problems.
- Subdomain Isolation: Using separate DKIM keys per subdomain isolates reputation, aiding in troubleshooting.
- Message Integrity: Protect email content from modifications during transit to maintain signature validity.
- Key Management: Use selectors to manage multiple DKIM keys for rotation or different sending sources.
- Review Headers: Review headers of emails
What email marketers say
12 marketer opinions
DKIM failures often stem from DNS configuration issues such as multiple TXT records, incorrect syntax, or DNS propagation delays. Proper setup for subdomains involves generating a new DKIM key, adding the corresponding DNS record, and ensuring emails are signed with this key. Selectors play a vital role in managing multiple DKIM keys, and tools like MXToolbox can help diagnose problems. Content modification during transit and exceeding TXT record character limits are other potential causes of failure. For best results, use unique selectors for subdomains, strong DKIM keys and check the headers of your emails to see if the DKIM is passing.
Key opinions
- DNS Configuration: Incorrect DNS settings, including multiple TXT records or syntax errors, are a common cause of DKIM failure.
- Subdomain Setup: Setting up DKIM for a subdomain requires generating a new DKIM key and adding the appropriate DNS record for that subdomain.
- Selectors Importance: DKIM selectors enable the use of multiple DKIM keys and are vital for proper configuration, especially for subdomains.
- Email Modification: Content changes during email transit can invalidate DKIM signatures, leading to failures.
- Record Lookup Tool: Using the MXToolbox DKIM record lookup tool allows you to check and fix issues quickly.
Key considerations
- DNS Propagation: Account for DNS propagation delays when implementing or modifying DKIM records.
- TXT Record Limits: Be mindful of DNS TXT record character limits and use string concatenation if necessary.
- Header Verification: Verify DKIM setup by checking email headers for pass/fail status in services like Gmail.
- Content Integrity: Ensure all intermediate email servers preserve original message content to avoid DKIM failures.
- Strong DKIM Keys: Use strong DKIM keys, at least 1024 bits, to ensure emails pass DKIM authentication.
Marketer view
Email marketer from Reddit explains common issues can include incorrect DNS record syntax, key size mismatches, or the selector not matching what's configured in the sending server.
20 Apr 2024 - Reddit
Marketer view
Marketer from Email Geeks advises that google._domainkey.mail.astorik.com should not interfere with google._domainkey.astorik.com, to be careful of the subdomain part.
20 Jan 2023 - Email Geeks
What the experts say
3 expert opinions
DKIM failures can occur when the email signature doesn't match the message content, often due to alterations by intermediate mail servers, or because of network and DNS issues. Setting up a separate DKIM key for each subdomain is beneficial because it isolates the reputation of each, so a failure on one does not negatively impact the others. The best practice is to sign outgoing mail using the right selector.
Key opinions
- Content Modification: Email content modifications by intermediate mail servers can cause DKIM signature mismatches and failures.
- Isolated Subdomain Reputation: Using separate DKIM keys for subdomains isolates their reputation, preventing failures in one from affecting others.
- DKIM Key: Setting up DKIM on a subdomain involves setting up a DKIM key with selector._domainkey.mail.astorik.com
Key considerations
- Server Integrity: Ensure that all mail servers in the email's path maintain the integrity of the message to prevent DKIM failures.
- Network Issues: Consider network or DNS issues as a potential cause for intermittent DKIM failures.
- Subdomain Strategy: Implement separate DKIM keys for subdomains to isolate reputation and simplify troubleshooting.
Expert view
Expert from Word to the Wise, Laura Atkins responds that setting up separate DKIM keys for subdomains is beneficial for isolating reputation and troubleshooting deliverability issues. A failure on one subdomain will not affect the reputation of your other emails and domains.
1 Feb 2024 - Word to the Wise
Expert view
Expert from Spam Resource explains that DKIM failures can happen if the signature doesn't match the header or body of the message. Usually this is caused because some other mailserver modified the message between signing and receipt. If the failure is intermittent, a temporary network or DNS issue is the most likely reason.
3 May 2023 - Spam Resource
What the documentation says
4 technical articles
DKIM failures can occur due to several factors including unpublished DKIM keys, incorrect DNS records, message alterations during transit, and insufficient key lengths. The DKIM record must be a TXT record with a correctly formatted name including the selector (e.g., `selector._domainkey.subdomain.example.com`). Ensure keys meet minimum length requirements (at least 1024 bits) and adhere to RFC 6376 specifications.
Key findings
- Common Failure Points: DKIM failures commonly arise from unpublished keys, incorrect DNS configurations, or message alterations.
- DNS Record Format: The DKIM record should be a TXT record named with the proper selector and domain (e.g., `selector._domainkey.example.com`).
- Key Length Requirement: DKIM keys must meet minimum length requirements, with 1024 bits being the recommended minimum.
- RFC Compliance: Adherence to RFC 6376 is critical for the correct format and interpretation of DKIM keys and records.
Key considerations
- Publish DKIM Keys: Always ensure that DKIM keys are correctly published to the DNS.
- DNS Record Accuracy: Verify the accuracy and format of DKIM DNS records.
- Message Integrity: Implement measures to prevent message alteration during transit.
- Key Strength: Use strong DKIM keys that meet or exceed minimum length requirements.
Technical article
Documentation from Microsoft advises that if your DKIM keys do not meet the minimum key length requirements, DKIM validation will fail. Make sure you use strong DKIM keys of at least 1024 bits when you set up DKIM.
26 Nov 2023 - Microsoft
Technical article
Documentation from RFC Editor (RFC 6376) details the exact format specifications for DKIM keys and records, including the 'v', 'k', 'p', and 'h' tags and their meanings.
16 Nov 2023 - RFC Editor
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Can I use the same sending domain with multiple ESPs?
Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?
Do subdomains need their own DMARC records if the main domain has one?
How do I set up DKIM on G Suite for outgoing mail, especially when using multiple email services?
