⚡ Folderly Flash Test my email →

Check and fix your DKIM signature

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to your email. The receiver verifies it against a public key in your DNS. A DKIM pass is the strongest, most portable authentication signal you have — it survives forwarding, unlike SPF.

Why mailbox providers enforce this

Gmail and Yahoo require DKIM for bulk senders, and DKIM alignment is the easiest way to pass DMARC. A failing DKIM signature means either the key isn't published, the selector is wrong, or a relay altered the message after signing.

How to fix it

  1. Confirm your DKIM public key is published at selector._domainkey.yourdomain as a TXT record.
  2. Use a 2048-bit key where supported — 1024-bit is the deprecated minimum.
  3. Make sure the selector in the DKIM-Signature header (s=) matches the DNS record you published.
  4. If DKIM passes locally but fails at the receiver, a middlebox (mailing list, security gateway) is modifying the body or headers after signing — sign fewer mutable headers or fix the relay.
  5. Rotate keys periodically and remove retired selectors.
Don't guess — measure it. Send one email to Folderly Flash and see exactly which checks pass or fail for your message, in 30 seconds. No signup.
Run a free test →

FAQ

What's a DKIM selector?
The selector (the s= value in the DKIM-Signature header) tells the receiver which public key to fetch. It lets you run multiple keys at once — useful for rotation or multiple senders.
Is DKIM or SPF more important?
DKIM is more robust: it survives forwarding and proves message integrity, not just sending-server identity. Pass both, but if you can only perfect one for DMARC alignment, prioritize DKIM.

Related

Want a deliverability engineer to fix this for you? Hand it to Folderly →