Suped

Why is DKIM failing and how do I set it up for a subdomain?

12 Marketer opinions3 Expert opinions4 Technical articles2 Resources

Summary

DKIM failures are multifaceted, stemming from DNS misconfigurations (multiple TXT records, incorrect syntax, propagation delays), content modifications in transit, incorrect DKIM key setup, or the DKIM key not being published in DNS. To set up DKIM for a subdomain, a separate key must be generated, its DNS record added (using the correct selector format), and outgoing emails signed with that key. Ensure keys meet minimum length requirements (1024 bits or greater). Selectors are underused but beneficial for key rotation and source identification. Tools like MXToolbox can aid in troubleshooting, and checking email headers confirms successful setup. Subdomain DKIM keys isolate reputation, and following RFC 6376 is important.

Key findings

  • DNS Issues: Incorrect DNS configuration (multiple TXT records, syntax errors, propagation delays) are common DKIM failure causes.
  • Subdomain Setup: DKIM for subdomains needs a separate key, proper DNS record (with selector), and signing of emails with the key.
  • Selectors Are Key: DKIM selectors manage multiple keys, helping with rotation and source identification, often underused.
  • Content Modification: Email content changes during transit break DKIM signatures.
  • Key Strength: DKIM keys must meet a minimum length (1024 bits) for validation.
  • Key Published to DNS: The key must be published to the DNS

Key considerations

  • Check DNS: Verify DNS records and propagation before troubleshooting more complex issues.
  • Tool Utilization: Leverage tools like MXToolbox to diagnose and correct DKIM problems.
  • Subdomain Isolation: Using separate DKIM keys per subdomain isolates reputation, aiding in troubleshooting.
  • Message Integrity: Protect email content from modifications during transit to maintain signature validity.
  • Key Management: Use selectors to manage multiple DKIM keys for rotation or different sending sources.
  • Review Headers: Review headers of emails

What email marketers say
12Marketer opinions

DKIM failures often stem from DNS configuration issues such as multiple TXT records, incorrect syntax, or DNS propagation delays. Proper setup for subdomains involves generating a new DKIM key, adding the corresponding DNS record, and ensuring emails are signed with this key. Selectors play a vital role in managing multiple DKIM keys, and tools like MXToolbox can help diagnose problems. Content modification during transit and exceeding TXT record character limits are other potential causes of failure. For best results, use unique selectors for subdomains, strong DKIM keys and check the headers of your emails to see if the DKIM is passing.

Key opinions

  • DNS Configuration: Incorrect DNS settings, including multiple TXT records or syntax errors, are a common cause of DKIM failure.
  • Subdomain Setup: Setting up DKIM for a subdomain requires generating a new DKIM key and adding the appropriate DNS record for that subdomain.
  • Selectors Importance: DKIM selectors enable the use of multiple DKIM keys and are vital for proper configuration, especially for subdomains.
  • Email Modification: Content changes during email transit can invalidate DKIM signatures, leading to failures.
  • Record Lookup Tool: Using the MXToolbox DKIM record lookup tool allows you to check and fix issues quickly.

Key considerations

  • DNS Propagation: Account for DNS propagation delays when implementing or modifying DKIM records.
  • TXT Record Limits: Be mindful of DNS TXT record character limits and use string concatenation if necessary.
  • Header Verification: Verify DKIM setup by checking email headers for pass/fail status in services like Gmail.
  • Content Integrity: Ensure all intermediate email servers preserve original message content to avoid DKIM failures.
  • Strong DKIM Keys: Use strong DKIM keys, at least 1024 bits, to ensure emails pass DKIM authentication.
Marketer view

Email marketer from Reddit explains common issues can include incorrect DNS record syntax, key size mismatches, or the selector not matching what's configured in the sending server.

March 2022 - Reddit
Marketer view

Marketer from Email Geeks advises that google._domainkey.mail.astorik.com should not interfere with google._domainkey.astorik.com, to be careful of the subdomain part.

October 2023 - Email Geeks
Marketer view

Email marketer from EmailOnAcid shares that Using multiple DKIM keys to maintain deliverability and enable easier key rotation by setting up a separate DKIM key for your subdomain

May 2022 - EmailOnAcid
Marketer view

Email marketer from Mailhardener shares that DNS propagation delays after adding a DKIM record can cause temporary failures. Check with online tools to see if the record has propagated globally.

March 2021 - Mailhardener
Marketer view

Email marketer from AuthSMTP explains that DKIM failures sometimes occur due to exceeding DNS TXT record character limits. If so, split the DKIM record using string concatenation.

January 2025 - AuthSMTP
Marketer view

Email marketer from Postmark explains that DKIM uses selectors to allow for multiple DKIM keys, which is beneficial for key rotation or different sending sources. For subdomains, a distinct selector is often recommended.

May 2021 - Postmark
Marketer view

Email marketer from Stack Overflow shares how to verify if DKIM is set up correctly for a subdomain by sending a test email to a service like Gmail and checking the email headers for DKIM pass/fail.

March 2023 - Stack Overflow
Marketer view

Email marketer from SparkPost explains that DKIM failures are because email content being modified in transit (e.g., by an email gateway) after it's been signed. Ensure all intermediate servers preserve the original message body.

December 2022 - SparkPost
Marketer view

Email marketer from EasyDMARC shares that to set up DKIM for a subdomain, you generate a new DKIM key, add the DKIM record to the subdomain's DNS settings, and ensure email sending from the subdomain is signed with the new key.

June 2022 - EasyDMARC
Marketer view

Marketer from Email Geeks shares to check DNS for multiple TXT records for google._domainkey.astorik.com.

January 2022 - Email Geeks
Marketer view

Email marketer from dmarcian explains that DKIM uses selectors to allow for multiple DKIM keys, which is beneficial for key rotation or different sending sources. Selectors are an underused and often misunderstood part of DKIM

January 2023 - dmarcian
Marketer view

Email marketer from MXToolbox shares that using their DKIM record lookup tool is important to troubleshoot DKIM failures. The tool validates syntax and checks for common errors.

November 2023 - MXToolbox

What the experts say
3Expert opinions

DKIM failures can occur when the email signature doesn't match the message content, often due to alterations by intermediate mail servers, or because of network and DNS issues. Setting up a separate DKIM key for each subdomain is beneficial because it isolates the reputation of each, so a failure on one does not negatively impact the others. The best practice is to sign outgoing mail using the right selector.

Key opinions

  • Content Modification: Email content modifications by intermediate mail servers can cause DKIM signature mismatches and failures.
  • Isolated Subdomain Reputation: Using separate DKIM keys for subdomains isolates their reputation, preventing failures in one from affecting others.
  • DKIM Key: Setting up DKIM on a subdomain involves setting up a DKIM key with selector._domainkey.mail.astorik.com

Key considerations

  • Server Integrity: Ensure that all mail servers in the email's path maintain the integrity of the message to prevent DKIM failures.
  • Network Issues: Consider network or DNS issues as a potential cause for intermittent DKIM failures.
  • Subdomain Strategy: Implement separate DKIM keys for subdomains to isolate reputation and simplify troubleshooting.
Expert view

Expert from Word to the Wise, Laura Atkins responds that setting up separate DKIM keys for subdomains is beneficial for isolating reputation and troubleshooting deliverability issues. A failure on one subdomain will not affect the reputation of your other emails and domains.

November 2024 - Word to the Wise
Expert view

Expert from Spam Resource explains that DKIM failures can happen if the signature doesn't match the header or body of the message. Usually this is caused because some other mailserver modified the message between signing and receipt. If the failure is intermittent, a temporary network or DNS issue is the most likely reason.

November 2022 - Spam Resource
Expert view

Expert from Email Geeks explains to set up a separate DKIM key with selector._domainkey.mail.astorik.com and sign outgoing mail with that.

March 2023 - Email Geeks

What the documentation says
4Technical articles

DKIM failures can occur due to several factors including unpublished DKIM keys, incorrect DNS records, message alterations during transit, and insufficient key lengths. The DKIM record must be a TXT record with a correctly formatted name including the selector (e.g., `selector._domainkey.subdomain.example.com`). Ensure keys meet minimum length requirements (at least 1024 bits) and adhere to RFC 6376 specifications.

Key findings

  • Common Failure Points: DKIM failures commonly arise from unpublished keys, incorrect DNS configurations, or message alterations.
  • DNS Record Format: The DKIM record should be a TXT record named with the proper selector and domain (e.g., `selector._domainkey.example.com`).
  • Key Length Requirement: DKIM keys must meet minimum length requirements, with 1024 bits being the recommended minimum.
  • RFC Compliance: Adherence to RFC 6376 is critical for the correct format and interpretation of DKIM keys and records.

Key considerations

  • Publish DKIM Keys: Always ensure that DKIM keys are correctly published to the DNS.
  • DNS Record Accuracy: Verify the accuracy and format of DKIM DNS records.
  • Message Integrity: Implement measures to prevent message alteration during transit.
  • Key Strength: Use strong DKIM keys that meet or exceed minimum length requirements.
Technical article

Documentation from Microsoft advises that if your DKIM keys do not meet the minimum key length requirements, DKIM validation will fail. Make sure you use strong DKIM keys of at least 1024 bits when you set up DKIM.

November 2021 - Microsoft
Technical article

Documentation from RFC Editor (RFC 6376) details the exact format specifications for DKIM keys and records, including the 'v', 'k', 'p', and 'h' tags and their meanings.

April 2022 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help explains that DKIM can fail if the DKIM key isn't published, the DNS record is incorrect, or the message is altered in transit.

June 2024 - Google Workspace Admin Help
Technical article

Documentation from Cloudflare advises the DKIM record should be a TXT record containing the DKIM key. The name should include the selector (e.g., `selector._domainkey.subdomain.example.com`).

March 2021 - Cloudflare

Related resources
2Resources

Dmarc report shows subdomain. - Collaboration - Spiceworks ...
Dmarc report shows subdomain. - Collaboration - Spiceworks ...

Hi all, Our dmarc reports sometimes shows our subdomain and this leads to failed DKIM and SPF. NOTE: the subdomain applied is actually our exchange 2016 FQDN. example: Our PUBLIC IP 2 none fail fail domain.dk subdomain.domain.dk none but when it works it shows: Our PUBLIC IP 1 none pass pass domain.dk domain.dk pass DOMAINKEY domain.dk pass Any clue how i can troubleshoot this?

Spiceworks Community
Subdomains have been discovered! Should I do anything about it ...
Subdomains have been discovered! Should I do anything about it ...

The Dmarcian Domain Overview is reporting a few subdomains in the wild that were clearly created by bad actors. Pretty cool! The Domain Overview does not, however, give me any guidance on what can or should be done about it. Should something be done about it? My policy is at R100 for all my domains.

dmarcian forum

Related questions