DKIM Testing for IT Administrators

You're responsible for email deliverability across your organization. When marketing complains about emails going to spam, when executives can't reach clients, or when transactional emails fail—it lands on your desk.

DKIM testing is an essential tool for diagnosing and preventing these issues before they become fires to put out.

The IT Admin's DKIM Challenges

Multiple email platforms: Your organization probably uses Microsoft 365 or Google Workspace for employee email, plus various SaaS tools that send on behalf of your domain.

DNS management: DKIM records live in DNS. You need to add, modify, and troubleshoot TXT records without breaking other services.

Key rotation: DKIM keys should be rotated periodically for security. You need to manage this without disrupting email flow.

Troubleshooting pressure: When email breaks, everyone notices immediately. You need to diagnose issues fast.

How DKIM Testing Helps IT Teams

Platform-Specific DKIM Setup

Microsoft 365

Microsoft 365 uses two selectors for key rotation: selector1 and selector2.

Test with selectors: selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com

Google Workspace

Google Workspace uses google as the default selector, with google2 for rotation.

Test with selector: google._domainkey.yourdomain.com

Third-Party Services

Common services your organization might use:

Each service that sends email on behalf of your domain needs its own DKIM configuration.

Key Rotation Best Practices

DKIM keys should be rotated periodically to maintain security:

Why rotate:

• Limits damage if a private key is compromised
• Follows security best practices
• Some compliance frameworks require it

How often:

• Every 6-12 months for most organizations
• More frequently in high-security environments

How to rotate without downtime:

Troubleshooting Common Issues

"DKIM record not found"

Possible causes:

• DNS record not created
• Wrong selector name
• Typo in record name (check _domainkey spelling)
• DNS propagation incomplete

Resolution: Verify the exact selector your email service uses, check DNS for the record, wait for propagation if recently added.

"DKIM verification failed"

Possible causes:

• Public key doesn't match private key
• Email was modified in transit
• Key was rotated but DNS wasn't updated

Resolution: Verify the public key matches what your email service expects, check for any email-modifying services in the path.

"DKIM none" (no signature)

Possible causes:

• DKIM signing not enabled in the email service
• Wrong sending path (email going through a server that doesn't sign)
• Configuration incomplete

Resolution: Verify DKIM signing is enabled in your email service's settings.

DNS Record Format

DKIM records are TXT records. The format:

selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

Key points:

• The selector and _domainkey are part of the record name
• v=DKIM1 is required
• k=rsa specifies the key type
• p= contains the public key (long base64 string)

For long keys, some DNS providers require splitting into multiple strings:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
"...continued key data..."

Complete Email Authentication Stack

DKIM is one of three protocols you should configure:

SPF (Sender Policy Framework): Lists IP addresses authorized to send for your domain. Check at spfrecordcheck.com.

DKIM: Cryptographic signatures verified against DNS public keys.

DMARC: Policy layer that ties SPF and DKIM together. Check at dmarcrecordchecker.com.

All three should be configured for each sending domain.

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.