What to do when DKIM record is configured but emails are not DKIM signed?

Key findings

• Two-part process: DKIM setup involves both publishing a public key in your DNS record and ensuring your sending mail server (or ESP) is configured to sign emails with the corresponding private key. Both steps are essential.
• ESP configuration: Many email marketers encounter this issue because their ESP has not properly enabled DKIM signing, or the user hasn't activated it within the ESP's portal, even after publishing the DNS record.
• Private key management: The mail server responsible for sending emails must have access to the private key and be configured to use it for signing. This is often handled by your ESP, but direct server configuration may be needed for self-hosted solutions.
• Troubleshooting tools: Utilizing tools to check DKIM validity can help pinpoint where the failure occurs. Our guide on troubleshooting DKIM failures can assist.
• Previous vendor records: Sometimes, lingering DKIM records from a previous email vendor can conflict with your current setup, causing signing issues.

Key considerations

• Contact your ESP: The first step should always be to reach out to your email service provider. They can verify if DKIM signing is enabled for your domain and troubleshoot any internal configuration issues.
• Review ESP settings: Log into your ESP's portal and look for specific DKIM or authentication settings. There might be an "activate" or "authenticate" button that needs to be clicked after the DNS record is published.
• Verify DNS propagation: Ensure your DKIM DNS record has fully propagated. This can take some time after initial setup. You can use online DNS checkers to confirm its visibility.
• Selector mismatch: Confirm that the selector used in your DKIM DNS record matches the selector your ESP or mail server is configured to use for signing. Learn more about DKIM selector name examples.

Key opinions

• Provider's role: Marketers frequently point to the email service provider as the primary point of contact when emails aren't DKIM signed despite a valid DNS record. The ESP is responsible for applying the signature.
• Activation step: A common overlooked step is activating DKIM signing within the ESP's portal after the public key is in DNS. Many platforms require a manual "on" switch.
• Private key necessity: It's understood that while the public key is in DNS, the private key must be with the ESP or mail server for actual signing to occur. This is a common point of misunderstanding.
• New program onboarding: Marketers onboarding to new email platforms often face this initial challenge, suggesting it's a common configuration hurdle rather than a deep technical flaw.
• Vendor transitions: If changing ESPs, the old vendor's DKIM records or settings might interfere, requiring a clear hand-off and re-configuration with the new provider.

Key considerations

• Direct communication: When DKIM records are configured but signing isn't happening, contact your ESP directly to confirm they have the private key and are signing your outbound mail. This is a key troubleshooting step.
• Check ESP documentation: Refer to your ESP's specific guides on DKIM setup. There may be a unique step or specific selector name required that's easily missed.
• Confirm domain key: Ensure that the domain key you provided to your ESP (or generated) is the same one published in your DNS. Mismatches prevent proper validation.
• System logs: For self-hosted solutions, checking mail server logs is crucial. Logs can reveal errors in the DKIM signing process, such as issues with key access or configuration. Learn more about troubleshooting email deliverability issues.

Key opinions

• Signing mechanism: Experts agree that a DKIM DNS record publishes the public key, but the actual email signing must be performed by the mail server or ESP using the corresponding private key. The record doesn't sign messages itself.
• ESP control: For many, DKIM signing is a function entirely managed by their ESP. If emails aren't signed, the ESP needs to be contacted to confirm they've turned on and correctly configured signing.
• Dual components: The process is always described as having two distinct parts: the DNS record for validation and the mail server's active configuration for signing. Both must align.
• Importance of private key: A key question from experts is whether the private key was supplied to the ESP and if they subsequently enabled signing, underscoring the private key's critical role.
• DMARC reliance: While DKIM is crucial, experts note that SPF and DMARC work together. If DKIM fails but SPF is correct, DMARC might still allow delivery. Learn more about DMARC, SPF, and DKIM.

Key considerations

• Confirm ESP configuration: Verify with your ESP that the private key is properly installed on their mail servers and that DKIM signing is explicitly enabled for your domain. This is often an administrative toggle.
• Selector consistency: Ensure that the DKIM selector used by your ESP for signing matches the selector in your published DNS record. Discrepancies lead to validation failures, as highlighted in MXToolBox DKIM verification.
• Header inspection: Examine the raw email headers of your sent messages. A missing DKIM-Signature header is a clear indicator that the signing process isn't occurring on the sending side.
• Monitor DMARC reports: Utilize DMARC reports to identify specific authentication failures. These reports can provide insight into whether DKIM signatures are missing or failing validation, helping you troubleshoot. Check our DMARC monitoring page for more.

Key findings

• Private key requirement: Documentation confirms that for DKIM to function, the mail server sending emails must be configured with the private key to create the digital signature on outgoing messages.
• DNS role: The DKIM DNS record only provides the public key, which is used by receiving mail servers to verify the signature, not to create it. It's a validation mechanism.
• Header insertion: DKIM functions by inserting a cryptographic signature into the email header. If this header is missing, it indicates a failure in the signing process on the sender's side.
• Spoofing prevention: DKIM's primary purpose is to help mailbox providers verify the sender and prevent phishing and spoofing attacks by ensuring message integrity and authenticity.

Key considerations

• Server configuration: Ensure your mail server or ESP's configuration explicitly enables DKIM signing for your domain. This may involve installing modules or enabling specific settings within the mail server software.
• Key security: The private key used for signing must be securely managed by the sending entity. Compromised keys can lead to unauthorized signing or spoofing. Learn more about DKIM record validation issues.
• Selector usage: Confirm that the selector name used in your DKIM DNS record aligns with the selector used by your mail server or ESP to sign emails. Misaligned selectors will cause validation failures.
• Regular checks: Periodically check your DKIM configuration using online tools to ensure it remains active and correctly signed. This helps catch unexpected changes or issues, including fixing invalid DKIM signatures.