DKIM Testing for IT Administrators
How IT admins use DKIM testing to configure, troubleshoot, and maintain email authentication for their organization's domains.
Last updated: 2026-01-28
You're responsible for email deliverability across your organization. When marketing complains about emails going to spam, when executives can't reach clients, or when transactional emails fail—it lands on your desk.
DKIM testing is an essential tool for diagnosing and preventing these issues before they become fires to put out.
The IT Admin's DKIM Challenges
Multiple email platforms: Your organization probably uses Microsoft 365 or Google Workspace for employee email, plus various SaaS tools that send on behalf of your domain.
DNS management: DKIM records live in DNS. You need to add, modify, and troubleshoot TXT records without breaking other services.
Key rotation: DKIM keys should be rotated periodically for security. You need to manage this without disrupting email flow.
Troubleshooting pressure: When email breaks, everyone notices immediately. You need to diagnose issues fast.
The most common DKIM issue IT admins face: a third-party service was added by another team without proper DNS configuration. Regular audits catch these gaps.
How DKIM Testing Helps IT Teams
Verify configurations
After setting up DKIM, confirm the DNS record is published correctly and the key is valid.
Diagnose issues quickly
When email delivery fails, immediately check if DKIM is the cause. Save hours of troubleshooting.
Audit your domain
Check all known selectors to see what DKIM keys are active for your domain.
Monitor for changes
Detect when DKIM records are accidentally deleted or modified.
Platform-Specific DKIM Setup
Microsoft 365
Microsoft 365 uses two selectors for key rotation: selector1 and selector2.
Access DKIM settings
Microsoft 365 Defender → Policies & rules → Threat policies → Email authentication settings → DKIM
Select your domain
Choose the domain you want to enable DKIM for.
Copy the CNAME records
Microsoft provides two CNAME records you need to add to DNS.
Add DNS records
Add the CNAME records pointing to Microsoft's DKIM key servers.
Enable DKIM signing
Once DNS propagates, toggle DKIM signing on in the Microsoft 365 admin center.
Test with selectors: selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com
Google Workspace
Google Workspace uses google as the default selector, with google2 for rotation.
Access DKIM settings
Admin Console → Apps → Google Workspace → Gmail → Authenticate email
Generate DKIM key
Select your domain and click "Generate new record". Choose 2048-bit if supported.
Add DNS record
Add the TXT record to your domain's DNS with the provided value.
Start authentication
After DNS propagates, click "Start authentication" in the admin console.
Test with selector: google._domainkey.yourdomain.com
2048-bit keys
Always use 2048-bit keys if your DNS provider supports them. Some providers have TXT record length limits that require 1024-bit keys, but 2048-bit is more secure.
Third-Party Services
Common services your organization might use:
| Service | Selectors | Setup Location |
|---|---|---|
| Salesforce | sf, sf2 | Setup → Email → DKIM |
| HubSpot | hs1, hs2 | Settings → Domain Management |
| SendGrid | s1, s2 | Settings → Sender Authentication |
| Mailchimp | k1, k2, k3 | Settings → Domain Authentication |
| Zendesk | zendesk, zd | Admin → Channels → Email |
Each service that sends email on behalf of your domain needs its own DKIM configuration.
Key Rotation Best Practices
DKIM keys should be rotated periodically to maintain security:
Why rotate:
- Limits damage if a private key is compromised
- Follows security best practices
- Some compliance frameworks require it
How often:
- Every 6-12 months for most organizations
- More frequently in high-security environments
How to rotate without downtime:
Generate new key
Create a new DKIM key pair with a new selector (e.g., selector2 if currently using selector1).
Publish new public key
Add the new public key to DNS with the new selector.
Wait for propagation
Allow 24-48 hours for DNS to propagate globally.
Switch signing
Configure your email service to sign with the new key.
Keep old key active
Leave the old public key in DNS for 7-14 days to handle delayed emails.
Remove old key
After the transition period, remove the old DNS record.
Troubleshooting Common Issues
"DKIM record not found"
Possible causes:
- DNS record not created
- Wrong selector name
- Typo in record name (check
_domainkeyspelling) - DNS propagation incomplete
Resolution: Verify the exact selector your email service uses, check DNS for the record, wait for propagation if recently added.
"DKIM verification failed"
Possible causes:
- Public key doesn't match private key
- Email was modified in transit
- Key was rotated but DNS wasn't updated
Resolution: Verify the public key matches what your email service expects, check for any email-modifying services in the path.
"DKIM none" (no signature)
Possible causes:
- DKIM signing not enabled in the email service
- Wrong sending path (email going through a server that doesn't sign)
- Configuration incomplete
Resolution: Verify DKIM signing is enabled in your email service's settings.
DNS Record Format
DKIM records are TXT records. The format:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
Key points:
- The selector and
_domainkeyare part of the record name v=DKIM1is requiredk=rsaspecifies the key typep=contains the public key (long base64 string)
For long keys, some DNS providers require splitting into multiple strings:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
"...continued key data..."
Complete Email Authentication Stack
DKIM is one of three protocols you should configure:
SPF (Sender Policy Framework): Lists IP addresses authorized to send for your domain. Check at spfrecordcheck.com.
DKIM: Cryptographic signatures verified against DNS public keys.
DMARC: Policy layer that ties SPF and DKIM together. Check at dmarcrecordchecker.com.
All three should be configured for each sending domain.
Related Articles
Monitor Your DKIM Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring