SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
medium DNS

DKIM Record

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The receiving mail server checks this signature against a public key published in your DNS. A valid DKIM signature proves the email was sent by an authorised server and was not tampered with in transit.

What SecurityStatus Checks

  • Presence of DKIM public key records in your DNS (common selectors: google, selector1, selector2, mail, dkim)
  • Key length — 1024-bit keys are considered weak; 2048-bit is the current standard
  • Whether the DKIM record is correctly formatted and parseable
  • DMARC alignment between DKIM signing domain and the From header

Why This Matters

DKIM provides message integrity — it proves your email was not modified in transit and came from an authorised source. Without DKIM, your DMARC policy cannot rely on DKIM alignment, making it easier for your domain to be spoofed. Many spam filters also assign higher trust scores to DKIM-signed emails.

How to Fix It

  1. 1

    Enable DKIM in your email provider

    For Google Workspace: Admin Console > Apps > Google Workspace > Gmail > Authenticate email. Generate a DKIM key and copy the DNS record shown. For Microsoft 365: Security Center > DKIM, select your domain and enable.

  2. 2

    Add the DKIM TXT record to your DNS

    Your provider will give you a TXT record to add at a specific subdomain like `google._domainkey.yourdomain.com`. Copy the entire record value exactly — DKIM records are long and easy to truncate.

  3. 3

    Use 2048-bit keys

    When your email provider offers a choice, always select 2048-bit keys. If you are currently using 1024-bit, rotate to a new 2048-bit key pair. Some providers like Microsoft 365 let you rotate keys in the admin console.

  4. 4

    Configure DKIM for third-party senders

    Every service that sends email from your domain needs DKIM set up. SendGrid, Mailchimp, and similar services provide CNAME records to add to your DNS rather than a TXT record — follow their specific instructions.

Frequently Asked Questions

Can I have multiple DKIM records?
Yes. Each sending service uses a different selector (the prefix before ._domainkey). You can have selector1, selector2, google, mailchimp, etc. all at the same time without conflict.
Why can't SecurityStatus find my DKIM record?
DKIM records are stored under specific selectors, not at the root domain. We check common selectors but your provider may use a unique one. Check your email provider's admin console to find the exact selector name.
What happens if DKIM fails?
Depending on your DMARC policy, the email may be quarantined or rejected. Even without DMARC, a DKIM failure can increase spam scoring. Most services won't cause an outright delivery failure unless DMARC is set to p=reject.

Related Guides

high SPF Record Read Guide high DMARC Record Read Guide critical Email Spoofing Risk Read Guide

Check Your Domain Now

Run all 38 security checks including DKIM Record and get your domain's security grade in under 2 minutes.

Scan Your Domain Free