Folderly Flash Send-readiness test Have Folderly fix this

Run a DKIM DNS audit

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to your email. A DKIM DNS audit goes deeper than pass/fail: it checks the selector in the message, the DNS record it points to, the public key quality, and whether the signing domain aligns with your visible From domain.

Why mailbox providers enforce this

Gmail and Yahoo require DKIM for bulk senders, and DKIM alignment is often the most reliable way to pass DMARC. A failing DKIM signature means the key is missing, the selector is wrong, the DNS record is malformed, or a relay altered the message after signing. A weak but technically passing setup can still hide operational risk: old selectors, short keys, duplicate TXT records, or a signing domain no one recognizes.

How to fix it

  1. Confirm your DKIM public key is published at selector._domainkey.yourdomain as a TXT record.
  2. Use a 2048-bit key where supported — 1024-bit is the deprecated minimum.
  3. Make sure the selector in the DKIM-Signature header (s=) matches the DNS record you published.
  4. Confirm the DKIM signing domain (d=) aligns with the visible From domain, either exactly or by relaxed organizational-domain alignment.
  5. Remove duplicate DKIM TXT records for the same selector; receivers should not have to choose between competing keys.
  6. Check that the public key is not empty or revoked (p= with no key), and that CNAME-based selectors resolve cleanly to the provider's key.
  7. If DKIM passes locally but fails at the receiver, a middlebox (mailing list, security gateway) is modifying the body or headers after signing — sign fewer mutable headers or fix the relay.
  8. Rotate keys periodically and remove retired selectors.
Don't guess — measure it. Send one email to Folderly Flash and see exactly which checks pass or fail for your message, in 30 seconds. No signup.
Run a free test →

FAQ

What's a DKIM selector?
The selector (the s= value in the DKIM-Signature header) tells the receiver which public key to fetch. It lets you run multiple keys at once — useful for rotation or multiple senders.
Is DKIM or SPF more important?
DKIM is more robust: it survives forwarding and proves message integrity, not just sending-server identity. Pass both, but if you can only perfect one for DMARC alignment, prioritize DKIM.

Related

Want a deliverability engineer to fix this for you? Hand it to Folderly →