dkim-no-common-selectors
DKIM signing not detected
DKIM is the digital signature your mail provider attaches to outgoing email so receivers can confirm nothing was tampered with along the way. Without it, the rest of your email-protection setup is missing a layer.
What this means in plain English
DKIM is a digital signature your mail provider attaches to every outgoing email. The signature uses a private key that only your provider knows; anyone who receives the email can check it against a matching public key you’ve published in your domain’s DNS settings.
If the email arrived unchanged from a system you authorised, the signature checks out. If a scammer tried to fake the email, or if something on the way altered it, the signature fails.
We tried to find your DKIM signature by looking at the most common locations and didn’t find one. The strongest interpretation: your mail provider isn’t signing your outgoing mail at all.
Why it matters to your business
DKIM works alongside the SPF and DMARC records discussed in our SPF and DMARC articles. With all three in place, mail providers have a high-confidence way to confirm a message really came from you.
Without DKIM:
- DMARC has only one signal to lean on. If SPF fails for any reason — for example because someone forwarded the email through a third system — there’s no DKIM to fall back on, so the mail fails the overall check and gets rejected. With DKIM in place, the signature survives forwarding.
- The visual checkmark in Gmail won’t appear. Gmail’s “verified sender” logo (BIMI, see our BIMI article) needs DKIM as a precondition.
- Bulk-sender requirements aren’t met. Google and Yahoo have required DKIM since 2024 for any sender that mails their users in any volume. Without it, your bulk mail bounces.
How to fix it
DKIM enablement happens at your mail provider, not in your DNS directly. Your provider generates the public/private key pair for you and tells you the exact text to publish in DNS. Whoever runs your domain’s DNS plugs that text in.
By provider:
- Google Workspace. Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Generate new record. Publish the text Google gives you, then click “Start authentication”.
- Microsoft 365. Defender portal → Email & collaboration → Policies → Email authentication settings → DKIM. Toggle each accepted domain on.
- mailbox.org / IONOS / STRATO and similar German hosters. Each has a one-click DKIM toggle in the customer panel; switch it on, copy the DNS text into your domain’s settings.
After it’s published, send a test message to
check-auth@verifier.port25.com — the auto-reply tells you whether
SPF, DKIM, and DMARC all aligned.
A small detail to verify: the digital signature should use a 2048-bit key. Older 1024-bit keys are still common but considered weak by Google and others; most providers default to 2048 nowadays, but it’s worth confirming during setup.
Further reading
- MXToolbox DKIM lookup — verifies what’s published once you’ve set it up.
- Google Workspace DKIM setup
- Microsoft 365 DKIM setup
- RFC 6376 — DKIM specification