DKIM Missing — Why Recipients Can’t Verify Your Email

Updated May 2026 · Email Security · 6 min read

Table of Contents

What DKIM does
Symptoms of missing DKIM
Enable DKIM (per provider)
Verify the DNS record exists

DKIM (DomainKeys Identified Mail) is the cryptographic signature that proves an email actually came from your domain and wasn’t modified in transit. Without it, your messages can be silently spoofed and recipients have no way to tell legitimate mail from fake.

What DKIM does

When your mail server sends an email, it adds a DKIM signature — a hash of the message signed with a private key. The receiving server fetches your public key from DNS (at <selector>._domainkey.yourdomain) and verifies the signature. If it matches, the message is provably from you and provably untampered.

DKIM is one of three pillars of modern email authentication: SPF says which servers may send for your domain, DMARC tells receivers what to do when SPF or DKIM fails, and DKIM proves cryptographic authenticity.

Symptoms of missing DKIM

Lower inbox placement — Gmail and Outlook treat unsigned mail as more suspicious by default.
DMARC enforcement breaks: with p=quarantine or p=reject, unsigned mail gets junked or rejected.
No way for recipients to detect spoofed mail using your domain.

Enable DKIM (per provider)

Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email. Generate the key, then publish the TXT record they show you.
Microsoft 365: Defender admin → Email & collaboration → Policies & rules → DKIM. Enable signing per domain after the two CNAMEs are published.
Resend / SendGrid / Mailgun / Postmark: each provider has a “Senders” or “Domains” page that generates the DKIM record. Publish it at the suggested selector and click “Verify.”
Send a test email to a Gmail account, click the three-dot menu, and pick “Show original.” Confirm dkim=pass.

Verify the DNS record exists

Most providers use selectors like google._domainkey, selector1._domainkey, or resend._domainkey. Check with dig TXT selector._domainkey.yourdomain. GuardHound checks the most common selectors automatically and re-scans clear once the record is live.

Run a free scan to find issues like this on your domain

GuardHound checks SSL, DNS, breaches, CVEs, lookalikes, hosting reputation, and more in under 30 seconds.

Start Free Scan →

Frequently Asked Questions

Do I need DKIM if I already have SPF?

Yes. SPF only checks the envelope sender, not the visible “From” address — attackers can pass SPF while spoofing your brand. DKIM signs the message contents, including the From header, which is what DMARC ultimately validates against.

How long are DKIM keys?

Use 2048-bit RSA keys. 1024-bit is still common and works, but 2048 is the modern recommendation. Most managed providers default to 2048 today.

Does GuardHound check every selector?

GuardHound queries the most common selectors used by the major providers (google, selector1/2, resend, mailgun, smtp, default, k1…). If you use a custom selector, the warning may persist until you tell us — contact support.