DKIM Selector Not Found: What It Means and How to Fix It

Last updated 2026-05-29 — By The InboxGreen Team

"DKIM selector not found" means no valid DKIM TXT record was found at the common selector locations for your domain. DKIM is a digital signature that proves an email was sent from your domain and was not modified in transit. Without it, emails are more likely to be treated as unverified by Gmail, Outlook, and Yahoo. The fix is to enable DKIM signing in your email provider's admin panel and add the TXT record they generate to your DNS.

What it means

DKIM (DomainKeys Identified Mail) works by having your mail server cryptographically sign each outgoing email. The corresponding public key is published as a TXT record in your DNS at a location like <code>selector._domainkey.yourdomain.com</code>. When a receiving server gets your email, it looks up this record to verify the signature. If the record does not exist, DKIM returns "none" and the signature check cannot be completed.

Why it matters

DKIM is one of the three pillars of email authentication alongside SPF and DMARC. Without DKIM, your domain cannot pass DMARC alignment via DKIM, meaning DMARC can only rely on SPF alignment. This weakens your overall authentication posture and increases the risk of silent filtering, especially on Gmail where DKIM is weighted heavily.

Example DKIM record structure

google._domainkey.yourdomain.com -> TXT -> v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY

Unlike SPF and DMARC, you do not write the DKIM public key yourself. Your email provider generates it. Enable DKIM in your provider's admin panel and they will give you the exact TXT record name and value to add to DNS.

How to fix it

Google Workspace

  1. Go to Google Admin console > Apps > Google Workspace > Gmail.
  2. Click Authenticate email.
  3. Select your domain and click Generate new record.
  4. Copy the TXT record name (e.g. google._domainkey) and value.
  5. Add the TXT record to your DNS provider with that exact name and value.
  6. Return to Google Admin and click Start authentication.
  7. Wait up to 48 hours for Gmail to verify the key.

Microsoft 365

  1. Go to Microsoft 365 Admin Center > Security > Email & collaboration > Policies & rules > Threat policies > DKIM.
  2. Select your domain and toggle Enable on.
  3. Microsoft will show the two CNAME records to add to your DNS.
  4. Add both CNAME records exactly as shown.
  5. Return and click Rotate DKIM keys to activate.

SendGrid

  1. In SendGrid, go to Settings > Sender Authentication.
  2. Click Authenticate Your Domain and follow the wizard.
  3. SendGrid generates two CNAME records. Add them to your DNS.
  4. Return to SendGrid and click Verify.

How to verify the fix

  1. After adding the DNS record and enabling signing in your provider, wait up to 48 hours.
  2. Run your domain through the InboxGreen free checker.
  3. DKIM should now show PASS.
  4. Send a test email to a Gmail address and check the original headers (Show original). DKIM should show "PASS".

Check your fix right now

Run your domain through InboxGreen's free checker to confirm the issue is resolved.

Check my domain

Common mistakes

  • Adding the DNS record but forgetting to enable DKIM signing in the provider admin panel. Both steps are required.
  • Copying only part of the long public key value. DKIM keys are typically 256+ characters and must be copied in full.
  • Using the wrong selector name. Use exactly the name your provider specifies; it is case-sensitive.
  • Expecting DKIM to pass instantly. Google Workspace in particular can take up to 48 hours to activate after the DNS record is published.

Frequently asked questions

What is a DKIM selector? +

A DKIM selector is a label that identifies which DKIM key was used to sign an email. It appears in the DKIM-Signature header as s=selectorname. A domain can have multiple selectors, for example one per sending service. The selector tells receiving servers where to look up the public key in DNS.

Can I have DKIM without access to my email provider admin panel? +

Not easily. DKIM requires your mail server to sign outgoing emails with a private key. Without access to the mail server or email provider settings, you cannot enable signing. If you use a shared hosting control panel like cPanel, look for Email Deliverability, which usually offers a one-click DKIM setup.

Why does DKIM still fail after I added the DNS record? +

The most common reason is that DKIM signing was not enabled in the email provider admin panel. Adding the DNS record alone is not enough. The mail server must also be configured to sign outgoing emails. Check your provider settings to confirm signing is active.

Related fix guides