Missing DKIM Signature

DKIM signs every outbound message with a cryptographic signature anchored in DNS, proving the message came from your domain and was not modified in transit.

Business risk

Without DKIM, SPF alone cannot survive forwarding. A user auto-forwards your mail to Gmail. The forwarded message now comes from the forwarder's IP, so SPF fails. With no DKIM signature to anchor the identity, DMARC also fails, and the message goes to spam. DKIM is also a hard requirement for bulk senders under the Google and Yahoo 2024 rules. For domains using third-party ESPs, DKIM often is set up but not published at the correct selector, so scanners report it as missing.

Technical details

Use 2048-bit RSA keys (rsa-sha256) as the default in 2026. M3AAWG recommends rotating every six months, quarterly if possible. Use date-based selector names like `s2026q2` or `dkim202604` instead of generic labels like `key1`, so future audits show at a glance when a key was deployed. Keep old selectors live for 24 to 48 hours after rotation because in-flight messages still carry the old signature. Each mail stream (transactional, marketing, support) should sign with its own selector so you can revoke one stream without breaking others.

How to detect it

DKIM records live at `<selector>._domainkey.yourdomain.com`. The selector is chosen by each sending provider - Google Workspace uses `google`, Microsoft 365 uses `selector1`/`selector2`, Amazon SES picks a token, SendGrid uses `s1`/`s2`. Send a test message and read the received headers to find the selector actually used.

dig +short TXT google._domainkey.yourdomain.com  # Google Workspace default

Send a test to yourself, open "View Original" in Gmail, read the DKIM-Signature header's s= tag

https://www.mail-tester.com/  # scores SPF+DKIM+DMARC+alignment

Common pitfalls

• !Using 1024-bit RSA keys. Still works but is below modern guidance. Use 2048-bit (or 3072-bit for long-lived keys). Gmail and Microsoft 365 use 2048-bit by default in 2026.
• !Never rotating. M3AAWG recommends rotating every six months (quarterly if possible). A never-rotated key is a persistent risk if the private key is ever exposed (server compromise, backup leak, cloud storage misconfiguration).
• !Using generic selector names like `key1`, `default`, `mail`. Audit history becomes impossible. Use date-based selectors (`s2026q2`, `dkim202604`) so future engineers can see when the key was deployed.
• !Revoking old selectors too quickly after rotation. In-flight mail still carries the old signature. Keep the old selector live for at least 48 hours after switching the signing key.
• !Signing only one mail stream. Transactional, marketing, and support mail often go through different providers. Each stream should sign with its own selector so one compromised key does not require revoking all legitimate mail.

Remediation guide

Type:  TXT
Name:  s2026q2._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOC...

External references

• RFC 6376: DKIM Signatures
• M3AAWG DKIM Key Rotation Best Practices

Frequently asked questions

Keep going

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.