Why is DKIM failing and how do I set it up for a subdomain?
Michael Ko
Co-founder & CEO, Suped
Published 3 Jun 2025
Updated 16 Aug 2025
7 min read
When your emails fail DKIM authentication, it can significantly impact your deliverability, leading to messages being routed to spam folders or rejected outright by recipient servers. DKIM, or DomainKeys Identified Mail, acts as a digital signature, allowing recipient mail servers to verify that an email was indeed sent by the domain it claims to be from and that it hasn't been tampered with in transit. It's a critical component of email authentication, alongside SPF and DMARC, that helps build trust and prevent spoofing.
Many businesses use subdomains for various purposes, such as marketing.yourdomain.com or newsletters.yourdomain.com. While convenient, setting up email authentication, especially DKIM, for these subdomains can introduce complexities. Often, issues arise when the DKIM record is either incorrectly configured for the subdomain, or it interferes with the primary domain's records. Understanding common causes of failure and the correct setup process for subdomains is essential to ensure your emails reliably reach their intended inboxes.
Several factors can cause DKIM authentication to fail, even when you believe everything is set up correctly. The most frequent culprit is often an incorrect or missing DNS record. DKIM relies on a public key published in your domain's DNS as a TXT record. If this record contains typos, is incomplete, or hasn't propagated fully across the internet, recipient mail servers won't be able to retrieve the public key to verify the signature, leading to a DKIM failure.
Another common cause is email content modification during transit. DKIM generates a hash of the email's headers and body at the point of sending. If any part of the email covered by the DKIM signature is altered, even slightly, the calculated hash at the receiving end will not match the one in the DKIM-Signature header, resulting in a failed check. This can happen with certain email forwarding services or mailing lists that modify message content.
Furthermore, misconfigurations with your sending service can lead to DKIM failures. For instance, if your email service provider isn't correctly signing your outgoing emails with the appropriate DKIM key, or if the selector in your DNS record doesn't match the selector used by your sending server, authentication will fail. Sometimes, even if DKIM is correctly set up for your domain, forwarded messages can fail DKIM due to how mail servers handle them, as noted in Google's documentation.
Typical DKIM record structure
A standard DKIM record is a TXT record with a specific naming convention that includes a selector. The selector is a unique name that identifies the DKIM public key in your DNS.
Unlike SPF records, which can sometimes be configured to include subdomains through their root domain, DKIM typically requires a unique record for each subdomain you send mail from. This is because the DKIM signature is tied to the specific domain (or subdomain) in the d= tag of the DKIM-Signature header, which must match the domain (or a parent domain) in the From address for DMARC alignment.
Setting up DKIM for a subdomain involves largely the same steps as for a primary domain, but with a crucial difference in the DNS record's hostname. You'll still need to generate a public/private key pair. Your email service provider will typically provide you with the public key, often presented as a TXT record to add to your DNS. The key is to ensure the hostname for this TXT record correctly reflects the subdomain you're authenticating.
For example, if your primary domain is yourdomain.com and your subdomain is mail.yourdomain.com, and your selector is selector1, the hostname for the DKIM record would be selector1._domainkey.mail.yourdomain.com. It's crucial not to confuse this with the primary domain's DKIM record, as having multiple TXT records for the same selector at the same domain level can cause conflicts and lead to DKIM failures.
Primary domain DKIM setup
Scope: Applies to emails sent directly from yourdomain.com.
Record name example: selector1._domainkey
DNS host: selector1._domainkey.yourdomain.com
Key ownership: Often managed by your primary mail server or ESP.
Subdomain DKIM setup
Scope: Applies to emails sent from mail.yourdomain.com or marketing.yourdomain.com.
Record name example: selector2._domainkey.mail
DNS host: selector2._domainkey.mail.yourdomain.com
Key ownership: Managed by the specific subdomain's sending service.
Troubleshooting DKIM failures on subdomains
Troubleshooting DKIM failures, especially with subdomains, requires a systematic approach. Start by using an email deliverability tester to diagnose the issue. These tools can check if your DKIM record is correctly published and if the signature itself is valid.
One common problem is having multiple TXT records for the same DKIM selector on the same domain or subdomain. This can confuse recipient servers, leading to a DKIM=Fail result. Always ensure there's only one valid DKIM TXT record per selector per domain/subdomain. If you're seeing issues with DKIM body hash failing, this often indicates message alteration during transit, such as a mailing list modifying the content, or an issue with your sending platform.
DMARC reports are invaluable for identifying DKIM failures. By analyzing DMARC aggregate and forensic reports, you can gain insights into why your emails are failing, which sources are sending unauthorized mail, and how different mailbox providers are processing your emails. This data helps you pinpoint misconfigurations and take corrective actions. For more comprehensive troubleshooting, consider reading about how to troubleshoot DKIM failures.
DKIM error message
Possible cause
Solution
dkim=fail (bad signature)
Email content or headers were modified after signing.
Check for intermediaries modifying emails. Ensure your sending service isn't altering content unexpectedly.
dkim=fail (no key for signature)
The public key in DNS is missing, incorrect, or inaccessible.
Verify the DKIM TXT record, selector, and hostname in your DNS settings for the specific subdomain.
dkim=fail (body hash mismatch)
The email body was changed after signing, causing the hash to differ.
Review email content for any automated additions (e.g., footers, tracking pixels) by forwarding services or email clients.
dkim=neutral
DKIM record exists, but sender/domain is not strictly aligned with DMARC.
Ensure DMARC alignment is met. Sometimes, this is fine if SPF passes.
Best practices for DKIM and subdomain email deliverability
To ensure robust email deliverability and authentication, especially when using subdomains, adherence to best practices is crucial. Firstly, always generate distinct DKIM keys for each subdomain used for sending email. This isolates the reputation of your primary domain from that of your subdomains, providing an extra layer of protection.
Beyond DKIM, it's vital to implement SPF and DMARC for all your sending domains and subdomains. DMARC, in particular, allows you to instruct recipient mail servers on how to handle emails that fail SPF or DKIM authentication, and provides valuable reporting to monitor your email streams. Pay special attention to DMARC records for subdomains, as a misconfigured DMARC subdomain policy can lead to unexpected deliverability issues.
Regularly monitor your domain's reputation and check for blocklist (or blacklist) listings. Maintaining a clean sender reputation is paramount. Even with perfect DKIM setup, a poor reputation can hinder inbox placement. For a complete guide on authentication, check out setting up SPF, DKIM, and DMARC for optimal results.
Proactive monitoring for DKIM success
Proactive monitoring of your DKIM records is essential. Don't just set it and forget it. Domain registrar changes, migrations, or even accidental edits can break your DKIM setup. Utilize DMARC reporting to get continuous feedback on your email authentication status and quickly identify any issues.
Views from the trenches
Best practices
Ensure each domain or subdomain has its own distinct DKIM record without overlap, crucial for preventing conflicts.
Set up separate DKIM keys and DNS records for every subdomain you use to send emails, ensuring proper authentication.
Common pitfalls
Having multiple TXT records for the same DKIM selector and domain can confuse recipient servers, leading to authentication failures.
Misplacing a subdomain's DKIM record on the parent domain can cause unexpected interference and lead to DKIM conflicts.
Expert tips
Always double-check your DNS entries; even minor errors can lead to significant DKIM authentication issues.
Be aware that email service providers like Google Workspace might have specific behaviors regarding which DKIM keys they use for outbound mail.
Expert view
Expert from Email Geeks says to check your DNS carefully, as having multiple TXT records for the same DKIM selector on your primary domain can cause undefined results.
2022-04-21 - Email Geeks
Expert view
Expert from Email Geeks says that having conflicting DNS records can lead to unpredictable email authentication outcomes because recipient servers might not know which record to use.
2022-04-21 - Email Geeks
Ensuring seamless email authentication
Addressing DKIM failures, especially when dealing with subdomains, is a critical step in maintaining a healthy email program. By diligently checking your DNS records for accuracy, ensuring unique DKIM setups for each sending subdomain, and actively monitoring your authentication results through DMARC, you can significantly reduce the likelihood of deliverability issues.
Proper DKIM configuration not only helps your emails reach the inbox but also protects your brand from spoofing and phishing attempts, reinforcing trust with your recipients. Investing the time to understand and correctly implement these authentication protocols is an investment in your email success.
