What Is DKIM and How Email Signing Works

December 25, 2025 • InboxGreenEmail Team

🚨 DKIM issues can silently kill replies.

If opens dropped, replies disappeared, or bounces increased, treat it as an incident. Run the scan and get a fix path.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

What Is DKIM and How Email Signing Works

As a SaaS founder or marketer, you know that getting your emails into the inbox is crucial. But what happens when your emails land in spam or get bounced back? One of the culprits could be the lack of proper email signing. This is where DKIM, or DomainKeys Identified Mail, comes into play. DKIM adds a layer of authentication to your emails, helping to verify that the message was indeed sent by you and not tampered with during transit. This matters because it directly impacts your inbox placement and domain reputation. When you see bounced emails, spam folder placements, or warnings in Gmail, it becomes urgent to address DKIM setup.

At a glance

  • This issue affects SaaS founders, marketers, and technical email managers.
  • This article will guide you through setting up DKIM for your domain.
  • By following these steps, you will improve your email deliverability and protect your domain reputation.

When this problem shows up in real life

Imagine you send out a marketing email campaign, and instead of landing in your subscribers' inboxes, they all end up in the spam folder. You check your email logs and notice entries like:

Feb 10 12:00:00 smtpd[12345]: NOQUEUE: reject: RCPT from mail.example.com: 550 5.7.1 : Recipient address rejected: DKIM signature verification failed

This is a clear indication that your DKIM setup is either missing or misconfigured. Another common scenario is when you receive a support ticket stating, “My emails are not being delivered.” You check the email headers and find:

Authentication-Results: mx.example.com; dkim=fail (204.12.34.56) [email protected]

This failure can lead to serious consequences, including damaged sender reputation and lower engagement rates.

Step by step: DKIM setup

  1. Access your DNS management console.

    Log in to your domain registrar or DNS hosting provider. This is where you will add the DKIM record.

  2. Generate your DKIM key.

    If you are using a service like Google Workspace or Microsoft 365, they often provide a DKIM key generator. Alternatively, you can use online tools for this purpose.

    For example, if you are using Google Workspace, follow these steps:

    • Go to Admin Console.
    • Navigate to Apps > Google Workspace > Gmail > Authenticate Email.
    • Click on “Generate New Record” and follow the prompts.
  3. Add the DKIM record to your DNS.

    Once you have your DKIM key, you will need to create a new TXT record in your DNS settings. The record usually looks something like this:

    google._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY"

    Make sure to replace YOUR_PUBLIC_KEY with the actual key you generated.

  4. Enable DKIM signing.

    After adding the DKIM record, go back to your email service provider and enable DKIM signing. In Google Workspace, this is done in the same Authenticate Email section.

  5. Test your DKIM setup.

    Send a test email to yourself and check the headers. Look for a line similar to:

    DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google; ...

    If you see this, your DKIM setup is successful.

Common mistakes

  • Missing DKIM record.

    Symptom: Emails are landing in spam. Cause: No DKIM record exists for the domain. Fix: Generate and add a DKIM record in your DNS settings.

  • Incorrect public key.

    Symptom: DKIM signature verification fails. Cause: The public key in the DNS record does not match the private key used to sign the email. Fix: Regenerate the DKIM key and update the DNS record.

  • Using the wrong selector.

    Symptom: DKIM fails to authenticate. Cause: The selector used in the DKIM record does not match the one in the email header. Fix: Ensure the selector in your DNS record matches the one specified in your email service provider settings.

  • DNS propagation delays.

    Symptom: Changes do not seem to take effect immediately. Cause: DNS changes can take time to propagate. Fix: Wait up to 48 hours and then test again.

Troubleshooting when it still fails

If your DKIM setup seems correct but issues persist, follow these checks:

  • DKIM signature not present in email headers.

    Likely cause: DKIM signing is not enabled in your email service. What to try next: Go back to your email settings and ensure DKIM signing is activated.

  • Authentication-Results header shows DKIM=fail.

    Likely cause: Mismatch between DKIM record and signing key. What to try next: Double-check your DNS record and regenerate the DKIM key if necessary.

  • Testing with InboxGreen tools shows DKIM issues.

    Likely cause: Misconfiguration in DNS settings. What to try next: Use the InboxGreen checker to identify specific issues.

Related checks you should run

In addition to DKIM, you should also verify:

  • SPF and DMARC alignment to ensure all records are working together.
  • DNS TTL settings and propagation delays, as these can affect how quickly changes take effect.
  • Your domain reputation, including bounces and spam reports, to understand how your emails are being received.
  • List quality and engagement patterns to ensure you are sending to active and interested recipients.

FAQ

Why is DKIM still failing on Google Workspace after I added the record?

If DKIM is failing, ensure that the public key in your DNS matches the private key used to sign the emails. Also, check that DKIM signing is enabled in the Google Workspace Admin Console.

How long do DNS changes take to apply on Microsoft 365?

DNS changes can take anywhere from a few minutes to 48 hours to propagate fully. If you just made changes, it is advisable to wait and then test again.

Can I use more than one DKIM selector with this setup?

Yes, you can use multiple DKIM selectors. This is useful if you want to rotate keys or if you have different services sending emails on behalf of your domain.

What if my emails still go to spam even after setting up DKIM?

Check your SPF and DMARC records to ensure they are correctly configured. Also, analyze your email content and engagement rates, as these can impact deliverability.

What to do next

Now that you have a better understanding of DKIM and how to set it up, it is time to take action. Start by checking your current DKIM configuration using the InboxGreen checker. This tool will help you identify any issues and guide you through fixing them. Make sure to also review your SPF and DMARC settings for a comprehensive email authentication strategy. Good luck, and may your emails land where they belong - in the inbox!

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.