How to Diagnose DKIM Signing Issues in Cold Email Setups
DKIM has two parts: the DNS record (public key) and the signing process (private key). Issues can occur at either end. Here's how to isolate which one is broken.
Your DKIM is not passing in email headers. Or it passes inconsistently. Or it passes for some sending services but not others. You have a DKIM record in DNS but something is wrong with the signing process.
DKIM's two parts
DKIM has two parts: the DNS record (public key) and the signing process (private key). Both need to be correct and aligned. Issues can occur at either end — and the two most common problems are a published DNS record with no signing enabled on the server, and a signing configuration that uses a different selector than what's in DNS.
Common DKIM signing issues
1. DNS record published but signing not enabled
Publishing the public key in DNS is step one. The sending server must be configured to sign outgoing messages with the corresponding private key. In Google Workspace, enable DKIM in the Admin console. In Microsoft 365, enable DKIM signing in the Exchange admin center under the DKIM section — not just the DNS records.
2. Selector mismatch
DKIM uses selectors to look up the correct public key. If your DNS record is published at selector1._domainkey.yourdomain.com but your sending server is signing with selector2, the verification fails.
3. Key rotation without DNS update
If you regenerate your DKIM keys, the new public key must be published in DNS. Until it is, all signatures made with the new private key fail verification. This is one of the most common causes of sudden DKIM failures.
4. Outreach tool signing with its own domain
Some outreach tools sign messages with their own DKIM key by default. The email "passes" DKIM for the tool's domain, but it does not pass DKIM for your domain. This means DMARC alignment fails because the DKIM d= domain does not match your From header domain.
Step-by-step diagnosis
Step 1: Check the DKIM-Signature header
Send a test email to a Gmail account and check the original headers. Look for the DKIM-Signature header. Note the d= value (signing domain) and the s= value (selector). If there is no DKIM-Signature header at all, your sending server is not signing.
Step 2: Verify the DNS record exists for that selector
Use the DKIM checker — enter your domain and leave the selector blank for auto-discovery. It will check all common selectors including google, selector1, selector2, and others. If the key is found, verify it's valid and 2048-bit.
Step 3: Check the d= value against your From header domain
If the d= value doesn't match your From header domain, you have an alignment issue that will cause DMARC to fail even though DKIM passes for the tool's domain.
The fix path
If signing is not enabled, enable it in your email provider's admin console.
If the key was rotated, publish the new public key in DNS at the correct selector.
If your outreach tool signs with its own domain, configure it to sign with your domain instead. This usually requires adding DKIM DNS records that the tool provides and enabling custom DKIM in the tool's settings.
After fixing, verify with the placement test — don't assume DNS changes took effect immediately.
Repair or replace?
DKIM issues are always repairable through DNS and sending server configuration. No infrastructure replacement needed.
Run the checks first
Before replacing anything, run a free inbox placement test. You might find the issue is DNS, not the domain — and save yourself a week of unnecessary work.