DEV Community

Cover image for DKIM selector not found: how to enable DKIM signing for your domain
InboxGreen
InboxGreen

Posted on • Originally published at inboxgreen.email

DKIM selector not found: how to enable DKIM signing for your domain

#email #dns #webdev #security

DKIM selector not found means a checker looked at the common selector locations for your domain and found no public key. This is one of the more confusing email authentication problems because the fix lives in two separate places: your email provider's admin panel and your DNS.

How DKIM works

Your mail server signs each outgoing email with a private key. The matching public key is published in DNS at a record like:

google._domainkey.yourdomain.com
Enter fullscreen mode Exit fullscreen mode

When a receiving server gets your email, it looks up that record and uses the public key to verify the signature. If the record does not exist, DKIM returns none and verification cannot happen.

Why both steps are required

This is where most people get stuck. You need to:

  1. Enable DKIM signing in your email provider's admin panel so outgoing mail gets signed
  2. Add the TXT or CNAME record to your DNS so receiving servers can verify the signature

Missing either step means DKIM will not pass. Adding the DNS record without enabling signing in the provider does nothing. Enabling signing without the DNS record means every verification attempt fails.

Provider-specific steps

Google Workspace:
Admin console > Apps > Google Workspace > Gmail > Authenticate email > Generate new record. Copy the TXT record name and value, add to DNS, then click Start authentication.

Microsoft 365:
Admin Center > Security > DKIM > select your domain > Enable. Microsoft gives you two CNAME records to add to DNS.

SendGrid:
Settings > Sender Authentication > Authenticate Your Domain. Two CNAME records, add both to DNS, then click Verify.

After adding the records

DNS propagation usually takes 5 to 30 minutes. Google Workspace can take up to 48 hours to confirm the key is active on their end. Do not assume it is broken after 10 minutes.

To verify, send a test email to a Gmail address and open Show original. Look for dkim=pass in the Authentication-Results header.

You can also run a full scan at InboxGreen, which checks all common selectors automatically.

For the full step-by-step guide per provider including common mistakes and FAQ: DKIM selector not found: fix guide

Top comments (0)