How to Diagnose DKIM Signing Issues in Cold Email Setups
DKIM isn't passing or is passing inconsistently. The DNS record exists. But something is wrong with the signing process itself. Here's how to find it.
Your DKIM isn't passing in email headers. Or it passes inconsistently. Or it passes for some sending services but not others. You have a DKIM record in DNS but something is wrong with the signing process.
Why This Happens
DKIM has two parts: the DNS record (public key) and the signing process (private key). Both need to be correct and aligned. Issues can occur at either end.
Common DKIM signing issues:
The DKIM DNS record is published but the sending server isn't actually signing messages. Publishing the public key in DNS is step one. The sending server must be configured to sign outgoing messages with the corresponding private key. In Google Workspace, this means enabling DKIM in the Admin console. In Microsoft 365, this means enabling DKIM signing in the Exchange admin center. Many people complete the DNS step and skip the server configuration step.
The selector in the DNS record doesn't match the selector the sending server uses. DKIM uses selectors to look up the correct public key. If your DNS record is published at selector1._domainkey.yourdomain.com but your sending server is signing with selector2, the verification fails.
The DKIM key has been rotated but DNS wasn't updated. If you regenerate your DKIM keys, the new public key must be published in DNS. Until it is, all signatures made with the new private key fail verification.
Your outreach tool signs with its own domain, not yours. Some outreach tools sign messages with their own DKIM key by default. The email "passes" DKIM for the tool's domain, but it doesn't pass DKIM for your domain. This means DMARC alignment fails because the DKIM d= domain doesn't match your From header domain.
Step-by-Step Diagnosis
Send a test email to a Gmail account and check the original headers. Look for the DKIM-Signature header. Note the d= value (signing domain) and the s= value (selector).
If there's no DKIM-Signature header at all, your sending server isn't signing. Go to your email provider or outreach tool and enable DKIM signing.
If the DKIM-Signature header exists but Authentication-Results shows dkim=fail, check if the d= domain matches a DNS record. Use the DKIM checker — it auto-discovers selectors and confirms whether the key exists and is valid.
Check the d= value against your From header domain. If they don't match, you have an alignment issue that will cause DMARC to fail — use the DMARC lookup to confirm.
Run a placement test to see the complete end-to-end authentication result including DKIM status from the receiver's perspective.
The Fix Path
If signing isn't enabled: enable it in your email provider's admin console or your outreach tool's settings.
If the selector is wrong: update either the DNS record or the server configuration to match.
If the key was rotated: publish the new public key in DNS at the correct selector.
If your outreach tool signs with its own domain: configure it to sign with your domain instead. This usually requires adding DKIM DNS records that the tool provides and enabling custom DKIM in the tool's settings.
When to Replace Instead of Repair
DKIM issues are always repairable through DNS and sending server configuration. No infrastructure replacement needed.
Mistakes That Make This Worse
- Publishing DKIM DNS records without enabling signing on the server
- Not checking which domain the DKIM signature uses (d= value)
- Not testing DKIM after making any changes to sending infrastructure
- Assuming DKIM is set up because someone on your team did it months ago without verifying current status
Run the checks first
Before replacing anything, run a free inbox placement test. You might find the issue is DNS, not the domain — and save yourself a week of unnecessary work.