Why is DKIM failing and how do I set it up for a subdomain?
Summary
What email marketers say12Marketer opinions
Email marketer from Reddit explains common issues can include incorrect DNS record syntax, key size mismatches, or the selector not matching what's configured in the sending server.
Marketer from Email Geeks advises that google._domainkey.mail.astorik.com should not interfere with google._domainkey.astorik.com, to be careful of the subdomain part.
Email marketer from EmailOnAcid shares that Using multiple DKIM keys to maintain deliverability and enable easier key rotation by setting up a separate DKIM key for your subdomain
Email marketer from Mailhardener shares that DNS propagation delays after adding a DKIM record can cause temporary failures. Check with online tools to see if the record has propagated globally.
Email marketer from AuthSMTP explains that DKIM failures sometimes occur due to exceeding DNS TXT record character limits. If so, split the DKIM record using string concatenation.
Email marketer from Postmark explains that DKIM uses selectors to allow for multiple DKIM keys, which is beneficial for key rotation or different sending sources. For subdomains, a distinct selector is often recommended.
Email marketer from Stack Overflow shares how to verify if DKIM is set up correctly for a subdomain by sending a test email to a service like Gmail and checking the email headers for DKIM pass/fail.
Email marketer from SparkPost explains that DKIM failures are because email content being modified in transit (e.g., by an email gateway) after it's been signed. Ensure all intermediate servers preserve the original message body.
Email marketer from EasyDMARC shares that to set up DKIM for a subdomain, you generate a new DKIM key, add the DKIM record to the subdomain's DNS settings, and ensure email sending from the subdomain is signed with the new key.
Marketer from Email Geeks shares to check DNS for multiple TXT records for google._domainkey.astorik.com.
Email marketer from dmarcian explains that DKIM uses selectors to allow for multiple DKIM keys, which is beneficial for key rotation or different sending sources. Selectors are an underused and often misunderstood part of DKIM
Email marketer from MXToolbox shares that using their DKIM record lookup tool is important to troubleshoot DKIM failures. The tool validates syntax and checks for common errors.
What the experts say3Expert opinions
Expert from Word to the Wise, Laura Atkins responds that setting up separate DKIM keys for subdomains is beneficial for isolating reputation and troubleshooting deliverability issues. A failure on one subdomain will not affect the reputation of your other emails and domains.
Expert from Spam Resource explains that DKIM failures can happen if the signature doesn't match the header or body of the message. Usually this is caused because some other mailserver modified the message between signing and receipt. If the failure is intermittent, a temporary network or DNS issue is the most likely reason.
Expert from Email Geeks explains to set up a separate DKIM key with selector._domainkey.mail.astorik.com and sign outgoing mail with that.
What the documentation says4Technical articles
Documentation from Microsoft advises that if your DKIM keys do not meet the minimum key length requirements, DKIM validation will fail. Make sure you use strong DKIM keys of at least 1024 bits when you set up DKIM.
Documentation from RFC Editor (RFC 6376) details the exact format specifications for DKIM keys and records, including the 'v', 'k', 'p', and 'h' tags and their meanings.
Documentation from Google Workspace Admin Help explains that DKIM can fail if the DKIM key isn't published, the DNS record is incorrect, or the message is altered in transit.
Documentation from Cloudflare advises the DKIM record should be a TXT record containing the DKIM key. The name should include the selector (e.g., `selector._domainkey.subdomain.example.com`).