DKIM key not found means the receiving server couldn't locate your DKIM public key in DNS. The server looks for a TXT record at selector._domainkey.yourdomain.com and either finds nothing or gets NXDOMAIN. Common causes: wrong selector, DNS record not published, propagation delay, typos in the record location, or CNAME not resolving. Verify your DKIM selector and check that the DNS record exists at the correct location.
DKIM Key Not Found: Troubleshooting Missing Public Keys
Understanding the Error
When a receiving server gets email with a DKIM signature, it:
- Reads the
d=(domain) ands=(selector) from the DKIM-Signature header - Queries DNS for:
{selector}._domainkey.{domain}TXT record - Uses the public key from that record to verify the signature
If step 2 returns no record (NXDOMAIN or empty), you get "DKIM key not found."
Example DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=google;
c=relaxed/relaxed; ...
The server looks up: google._domainkey.example.com TXT record.
Common Causes
1. DKIM Record Not Published
The most basic cause — you configured DKIM in your ESP but never added the DNS record.
How to check:
dig TXT google._domainkey.example.com
If no record returns, you need to publish it.
2. Wrong Selector
The selector in your DNS doesn't match what your ESP uses.
Scenario:
- You added:
dkim._domainkey.example.com - ESP sends with:
s=selector1 - Server looks for:
selector1._domainkey.example.com - Not found!
Practitioner note: I see this weekly. Someone copies DKIM setup instructions from an old blog post using a generic selector name, but their ESP uses a different default. Always verify the exact selector your sending service uses.
3. DNS Propagation Delay
You just added the record but it hasn't propagated to all nameservers yet.
How to check:
# Check from Google's DNS
dig @8.8.8.8 TXT selector._domainkey.example.com
# Check from Cloudflare's DNS
dig @1.1.1.1 TXT selector._domainkey.example.com
# Check authoritative nameserver directly
dig @ns1.yourdns.com TXT selector._domainkey.example.com
If your authoritative nameserver has the record but public DNS doesn't, wait for propagation.
4. CNAME Not Resolving
Many ESPs use CNAME records that point to their DKIM key:
# Your DNS:
selector._domainkey.example.com CNAME selector._domainkey.esp.com
# ESP's DNS (must exist):
selector._domainkey.esp.com TXT "v=DKIM1; k=rsa; p=..."
If the CNAME exists but the target doesn't resolve, DKIM fails.
Common problems:
- CNAME target changed (ESP updated their infrastructure)
- Typo in CNAME destination
- ESP's DNS has an outage
5. Typos in Record Location
DNS is case-insensitive but unforgiving of typos:
| Correct | Common Mistakes |
|---|---|
selector._domainkey.example.com | selector.domainkey.example.com (missing underscore) |
selector._domainkey.example.com | selector._dkim.example.com (wrong keyword) |
selector._domainkey.example.com | _domainkey.selector.example.com (reversed) |
6. Subdomain Mismatch
If you're sending from a subdomain, DKIM must be at the subdomain level:
- Sending as:
[email protected] - DKIM d= value:
d=marketing.example.com - Record must be at:
selector._domainkey.marketing.example.com
A record at selector._domainkey.example.com won't be found for subdomain sends.
7. DNS Record Type Mismatch
DKIM keys must be TXT records. If you accidentally created a different record type, it won't be found.
Check record type:
dig ANY selector._domainkey.example.com
How to Diagnose
Step 1: Get the Exact Selector
Find a sent email and view raw headers. Look for:
DKIM-Signature: v=1; ... s=selector; d=yourdomain.com; ...
Note the exact s= value.
Step 2: Query DNS Directly
# Replace with your actual values
dig TXT {selector}._domainkey.{yourdomain.com}
Expected result (working):
;; ANSWER SECTION:
google._domainkey.example.com. 300 IN TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
Problem result (not found):
;; AUTHORITY SECTION:
example.com. 900 IN SOA ns1... (NXDOMAIN response)
Step 3: Check CNAME Resolution
If your record is a CNAME:
# Check the CNAME
dig CNAME selector._domainkey.example.com
# Follow the chain
dig TXT cname-target.esp.com
Both must resolve.
Step 4: Verify Record Syntax
If the record exists, verify it's valid:
dig TXT selector._domainkey.example.com +short
Should return something like:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
If it returns garbage or truncated data, the record may be malformed.
Solutions
For Missing Records
- Log into your DNS provider
- Add a TXT record:
- Name:
selector._domainkey(or fullselector._domainkey.yourdomain.com) - Type: TXT
- Value: The public key from your ESP
- Name:
For Wrong Selectors
- Verify the selector your ESP uses (check their documentation or support)
- Update your DNS record to use the correct selector
- Or update your ESP settings to use your existing selector (if supported)
For CNAME Issues
- Verify the CNAME destination with your ESP
- Update the CNAME to the current target
- Test that the target actually resolves
For Propagation Issues
- Wait 15-30 minutes
- Test again from multiple locations
- If still not propagating after hours, check your DNS provider for errors
For Subdomain Sends
Create the record at the subdomain level:
- Record location:
selector._domainkey.subdomain.yourdomain.com - Or configure your ESP to sign with the parent domain (if supported)
Practitioner note: When clients say "DKIM was working and suddenly stopped," it's almost always a CNAME target change on the ESP side. ESPs occasionally rotate keys or change infrastructure, updating their DNS but not notifying customers that CNAMEs need updating.
Prevention
- Document your DKIM setup — list selector, record type, and target for each ESP
- Set up monitoring — Tools like dmarcian alert you when DKIM starts failing
- Verify after any DNS changes — Test authentication before and after changes
- Test from multiple locations — Local DNS cache can mislead you
If you're struggling to diagnose why DKIM keys aren't being found despite having records published, schedule a consultation — I'll trace the DNS lookup path and identify the issue.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- Google Workspace: DKIM setup
- Microsoft 365: DKIM setup
- MXToolbox DKIM Lookup
v1.0 · March 2026
Frequently Asked Questions
What does DKIM key not found mean?
It means the receiving server tried to look up your DKIM public key at selector._domainkey.yourdomain.com but found no record. Without the public key, DKIM signature can't be verified.
How do I find my DKIM selector?
Check the DKIM-Signature header in a sent email — look for s=selector. Common selectors include google, selector1, k1, dkim, or your ESP's default name.
Why does my DKIM record show up in DNS but verification fails?
Possible causes: wrong selector being checked, CNAME record not resolving properly, record has incorrect syntax, or DNS propagation hasn't completed to all nameservers.
How long does DKIM DNS propagation take?
Usually minutes to a few hours, but can take up to 48 hours depending on TTL settings and DNS provider. Test from multiple locations to verify propagation.
Can I have multiple DKIM selectors?
Yes — different ESPs use different selectors. Each gets its own DNS record: selector1._domainkey, selector2._domainkey, etc. They don't conflict.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.