How to verify if DKIM is working correctly

After configuring DKIM for your domain, you should verify that your emails are being properly signed and that receiving mail servers can validate the DKIM signature.

A successful DKIM verification confirms that:

• the email was sent from an authorized server
• the message content has not been modified during transit
• the DKIM public key in your DNS record can be retrieved and validated

If DKIM verification fails, mailbox providers may reduce your deliverability or send messages to spam.

Method 1: Check DKIM in email authentication results

The most reliable way to verify DKIM is by checking the authentication results in a received email.

Step 1

Send a test email from your domain to a Gmail or Outlook inbox.

Step 2

Open the email and view the message headers or original message source.

Step 3

Locate the Authentication-Results section.

You should see a result similar to:

DKIM=pass header.d=yourdomain.com

This indicates that:

• the DKIM signature was present
• the receiving server retrieved the DKIM public key from your DNS
• the signature matched the email contents

If DKIM is not working correctly, you may see:

DKIM=fail
or
DKIM=none

Method 2: Verify the DKIM DNS record

You should also confirm that the DKIM public key exists in your domain’s DNS.

A valid DKIM DNS record typically looks like this:

selector._domainkey.yourdomain.com

TXT

v=DKIM1; k=rsa; p=PUBLIC_KEY

To verify the record, check that:

• the selector name matches the one configured in your email provider
• the record type is TXT
• the value contains v=DKIM1 and a valid public key

If the DNS record cannot be retrieved, receiving mail servers will not be able to verify the DKIM signature.

Method 3: Confirm DKIM signing is enabled

Even if the DNS record exists, DKIM will only work if DKIM signing is enabled in your email provider.

Your email platform must actively sign outgoing emails using the private key associated with the DNS public key.

If DKIM signing is disabled, the email will not contain a DKIM signature header and authentication will fail.

Common reasons DKIM verification fails

DNS propagation delay

After adding a DKIM record, DNS updates may take several hours to propagate across the internet.

Selector mismatch

If the selector used by your sending service does not match the selector published in DNS, verification will fail.

Incorrect DKIM record format

Missing fields, incorrect formatting, or truncated public keys can prevent successful validation.

DKIM signing not enabled

The DNS record alone does not enable DKIM. Your sending server must actively sign outgoing messages.

Email modified during forwarding

In some cases, forwarding services may modify email headers or content, which can invalidate the DKIM signature.