Proper email authentication is essential for ensuring your emails land in your recipients' inboxes, not their spam folders. One key player in this process is DomainKeys Identified Mail (DKIM). Let's walk through how to verify your DKIM records using online tools like ActiveCampaign's DKIM checker, troubleshoot common issues, and understand why DKIM is essential for email deliverability.

Verifying your DKIM records ensures that your emails are properly authenticated, which is crucial for maintaining deliverability and protecting your domain's reputation. Here's how you can do it:

1. Locate your DKIM selector and Domain Name System (DNS) records

A DKIM selector is a label that helps email providers find the right DKIM key in your domain's settings. When you set up DKIM, you choose a selector (like "default" or "google") that gets added to your email’s hidden DKIM signature. This tells receiving mail servers where to look in your DNS records to verify that the email is legitimate.

To find your DKIM selector and associated DNS records:

• Check your email service provider's DKIM settings: They often provide the selector name and the DKIM public key to publish in your DNS.
• Access your DNS hosting provider's dashboard: Navigate to the DNS management section to view or add DNS records.

Remember, after making changes to your DNS records, it may take some time (usually 24-48 hours) for the changes to propagate across the internet.

2. Enter domain and selector details into a DKIM checker

Once you've identified your DKIM selector and ensured your DNS records are updated, you can verify the setup using a DKIM lookup tool. Here's how:

1. Choose a DKIM checker tool: ActiveCampaign offers a user-friendly DKIM checker that simplifies this process.
2. Input your domain and selector: Enter your domain name and the DKIM selector into the tool.
3. Run the check: The tool will retrieve the DKIM record from your DNS and display the results.

This process helps confirm that your DKIM record is correctly published and accessible.

3. Analyze DKIM checker results and troubleshoot errors

After running the DKIM check, you'll receive results indicating whether your DKIM record is valid. If you get a pass, your DKIM record is correctly configured. If you get a fail, there's an issue with your DKIM setup.

Common errors and how to resolve them:

• Invalid signatures: Ensure your private key matches the public key published in your DNS.
• Record syntax issues: Verify there are no typos or formatting errors in your DKIM record.
• Mismatched selectors: Confirm that the selector used in your email headers matches the one in your DNS records.

If validation isn't successful, revisit your DKIM settings and DNS records to correct any discrepancies.

DKIM is an email authentication method that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. It works by affixing a digital signature to the email's header, which is validated by the recipient's mail server against a public key published in the sender's DNS records.

This process helps prevent email spoofing, enhances sender reputation, and improves email deliverability. DKIM works alongside SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) to provide a comprehensive email authentication framework.

We’ll go deeper into how these three components work together, so keep reading.

Even with the best intentions, misconfigurations can occur. Let’s look at some frequent DKIM issues and how to address them.

Syntax errors and formatting mistakes in DNS records

Incorrect formatting, such as extra spaces or missing semicolons, can invalidate your DKIM record. To fix this, double-check your DKIM record and ensure it adheres to the correct syntax as specified by your email service provider.

Also, use DNS validation tools to help identify and highlight syntax errors in your records.

Selector mismatches and multiple DKIM records

If you use different email platforms for various purposes, you might need multiple DKIM selectors. For example, you may have different email services (e.g., Google Workspace for business emails, ActiveCampaign for marketing, and SendGrid for transactional emails). You may also have subdomains for different departments (e.g., sales.example.com and support.example.com, using separate mail systems).

There are a few things you can do to verify and avoid conflicts:

• Check your selectors: Review your DNS settings or ask your email provider for the correct DKIM selectors.
• Use a DKIM lookup tool: Enter your domain and each selector to confirm the records are published correctly.
• Avoid overwrites: Ensure each service has a unique selector (e.g., google._domainkey, acmail._domainkey) to prevent conflicts.
• Monitor changes: When rotating keys, update DNS records carefully and allow time for propagation.

Keeping selectors organized and verified ensures smooth email authentication and avoids deliverability issues.

Delayed DNS propagation and caching effects

DNS changes can take time to propagate, leading to temporary validation failures. To mitigate this, allow up to 48 hours for DNS changes to take full effect and use real-time DNS lookup tools. These can help verify if your changes have propagated.

Weak encryption keys and outdated key lengths

Shorter DKIM keys, like 512-bit, are weak and easier for attackers to crack, putting your emails at risk of being forged. 1024-bit is the minimum recommended length, but 2048-bit is even better for stronger security and long-term protection.

To upgrade your DKIM key:

• Generate a new key pair: Use your email provider’s DKIM setup tool or a command-line tool like OpenSSL to create a 1024-bit or 2048-bit key.
• Update your DNS record: Publish the new public key in your domain’s DNS settings under the correct DKIM selector.
• Test the setup: Use a DKIM lookup tool to confirm the new key is correctly published and working.
• Remove the old key: Once the new key is active, delete outdated, weaker keys to prevent misuse.

For more technical users, additional methods can provide deeper insights into your DKIM setup:

Use command-line tools to verify DKIM records

If you want to verify your DKIM setup manually, tools like dig (Linux/macOS) and nslookup (Windows) can help retrieve your DKIM records.

Interpreting the output:

A valid DKIM record should return a public key string (v=DKIM1; k=rsa; p=MIIBIjANBg...). If you see "NXDOMAIN" or no result, your DKIM record might be missing or misconfigured.

Checking for successful validation:

• Ensure the p= value contains a long encoded key.
• Verify that the selector matches what your email provider uses.
• If no record appears, wait for DNS propagation and check again.

These quick checks allow you to confirm your DKIM setup without relying on third-party tools.

Check DKIM alignment for subdomains and unique selectors

When you send emails from different subdomains (like sales.example.com or support.example.com) or use multiple email services, it’s important to assign each one its own DKIM selector and record to prevent conflicts.

To verify that each subdomain or mail stream has the correct DKIM record:

• Use a DKIM lookup tool for each selector (e.g., sales._domainkey.example.com, support._domainkey.example.com).
• Make sure every subdomain has its own unique DKIM entry with the correct public key.
• Avoid using the same selector name (like default._domainkey) for multiple services to prevent overwriting records.

Regularly test your DKIM setup and update your keys as needed to maintain smooth email authentication and ensure security across all your email streams.

Analyze DKIM results in DMARC aggregate reports

DMARC is like a security guard for your emails, checking that everything looks legit. One of its jobs is to check DKIM alignment, which makes sure the DKIM signature on an email matches the domain it claims to come from.

If DMARC notices any misalignments (like the DKIM signature not matching the sending domain), it will include that information in its aggregate reports, which are sent to the email address you specify. These reports show you if there are problems with DKIM or SPF alignment and help you spot which domains or selectors need fixing.

How to find DKIM issues in the DMARC report

DMARC aggregate reports come in raw XML format, which might seem complicated at first, but don’t worry—it’s not too hard to find the key information.

1. Open the XML file: Use any text editor or an XML viewer to open the report.
2. Look for the "dkim" field: Inside the report, there will be a section showing DKIM results for each email sent.
3. Check the "result" tag: This will tell you whether DKIM passed or failed. If it says "fail," there’s a mismatch.
4. Find the "selector": The selector used for the email will be listed, helping you identify which one needs attention.
5. Look for the "domain": This tells you which domain was tested for DKIM alignment.

By reading through the report, you can figure out if certain selectors or domains are causing issues and take action to fix them.

While DKIM is vital, it's just one component of a complete email authentication strategy. Using it alongside SPF and DMARC checks enhances domain protection as well as sender reputation.

The three key technologies work together to ensure your emails are authenticated and trusted by inbox providers. Each serves a unique role in validating message sources, verifying content integrity, and enforcing domain policies.

1. SPF (Sender Policy Framework) validates message sources

SPF is the first layer of defense. It helps prevent email spoofing by defining which IP addresses are authorized to send emails on behalf of your domain. When an email is received, the recipient's mail server checks the SPF record published in your domain’s DNS to see if the sender's IP address is listed.

• SPF checkers verify that your SPF record is correctly set up and that the sending IP is allowed.
• If an email fails the SPF check, it may be rejected or marked as spam.

2. DKIM (DomainKeys Identified Mail) ensures content integrity

DKIM adds a digital signature to your emails, allowing receiving mail servers to verify that the email hasn’t been tampered with in transit. The email provider signs outgoing messages with a private key, and the recipient’s mail server uses the public key (published in your domain's DNS) to authenticate the signature.

• DKIM checkers confirm that your DKIM record is properly published and that emails pass authentication.
• If the DKIM signature is missing or invalid, the email might be marked as suspicious.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance) enforces domain policies

DMARC ties SPF and DKIM together under a single policy. It tells receiving servers what to do when an email fails SPF and/or DKIM checks—whether to reject, quarantine, or allow the email through.

• DMARC checkers analyze your DMARC record to confirm it’s correctly configured.
• DMARC reports provide insights into authentication failures, helping you detect spoofing attempts.

Why you should implement all three

Each of these authentication methods plays a different role, and using all three together provides maximum protection and deliverability:

• SPF ensures that only authorized servers can send emails for your domain.
• DKIM verifies that email content remains unchanged during transmission.
• DMARC enforces authentication policies and helps prevent phishing attacks.

Lingering questions? Let’s cover a few.

How do I add or update a DKIM record for my domain?

Access your DNS hosting provider's dashboard, navigate to the DNS management section, and add or update the TXT record with your DKIM public key as provided by your email service provider.

Can I use the same DKIM record for multiple email services?

It's possible but not recommended. Different services should have unique selectors and DKIM records to prevent conflicts and simplify troubleshooting.

How can I verify DKIM for my entire domain, including subdomains?

Check each subdomain individually, as DKIM records are selector and domain-specific. Ensure each subdomain has its own DKIM record if it's used for sending emails.

What should I do if one DKIM checker tool shows different results than another?

Discrepancies can arise due to DNS caching or propagation delays. Verify your DKIM record using multiple tools and ensure your DNS changes have fully propagated.

How often do I need to update or rotate my DKIM keys?

You should update or rotate your DKIM keys every 6 to 12 months to enhance security and prevent unauthorized use. Some email providers may have specific key rotation policies, so it's best to follow their recommendations and regularly check your DKIM setup for any vulnerabilities.

Learn more: Why ActiveCampaign is a leader in deliverability