No DKIM Selectors Found

What this result means

Domain Guarddog scans your domain's DNS for DKIM public keys by checking a list of commonly used selector names (such as google, selector1, selector2, s1, s2, k1, default, and others). If none of these returned a valid DKIM record, you're seeing this warning.

⚠️

Important limitation: DKIM selectors can be any arbitrary string. Unlike SPF and DMARC (which have fixed DNS locations), there is no standard way to discover all DKIM selectors for a domain. Domain Guarddog checks the most common ones, but your domain may use a custom or uncommon selector that wasn't checked.

There are two possibilities when no common selectors are found:

🚨

DKIM is not configured

Your domain doesn't have any DKIM keys published in DNS. Emails sent from your domain are not being signed with DKIM, which weakens your email authentication and may impact deliverability.

🔍

DKIM uses uncommon selectors

Your domain does have DKIM configured, but the selector names are unique or provider-specific strings that aren't in the common list Domain Guarddog checks. Your DKIM may be working fine.

The best way to determine which case applies is to check the headers of an email sent from your domain, as described in the next section.

How to check if DKIM is actually configured

The most reliable way to confirm whether DKIM is active on your domain is to inspect the headers of an email you've sent. The email headers will show the exact selector being used and whether DKIM verification passed.

1

Send a test email

Send an email from your domain to a Gmail account (or another provider that shows full authentication results in headers).

2

View the original message headers

In Gmail, open the email, click the three-dot menu in the top right, and select "Show original." In Outlook, open the message properties to view the full internet headers.

3

Search for "DKIM-Signature"

Look for a DKIM-Signature header in the email. If present, your mail server is signing emails with DKIM. The s= tag shows the selector name being used.

4

Check the Authentication-Results header

Look for the Authentication-Results header. A result of dkim=pass confirms DKIM is fully working. A result of dkim=fail or no DKIM mention means there's a problem.

What a DKIM-Signature header looks like

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=myselector;
    h=from:to:subject:date:message-id;
    bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
    b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk...

In this example, s=myselector tells you the selector name is myselector. If you find a DKIM-Signature header, your DKIM is configured — Domain Guarddog simply didn't check for that particular selector name.

What the Authentication-Results header looks like

Authentication-Results: mx.google.com;
    dkim=pass [email protected] header.s=myselector header.b=AuUoFEfD;
    spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender);
    dmarc=pass (p=REJECT) header.from=example.com

💡

If you find no DKIM-Signature header, then DKIM is genuinely not configured for your domain. Follow the setup guides below to enable it. Without DKIM, your emails are more vulnerable to spoofing and less likely to reach inboxes.

Set up DKIM: Google Workspace

If your domain uses Google Workspace (Gmail) for email, follow these steps to enable DKIM signing:

1

Open the Google Admin console

Go to admin.google.com and navigate to Apps → Google Workspace → Gmail → Authenticate email.

2

Generate a DKIM key

Select your domain and click "Generate new record." Choose 2048-bit key length if your DNS provider supports records longer than 255 characters (most do). The default selector prefix is google.

3

Add the DNS record

Add the TXT record that Google provides to your domain's DNS:

Host: google._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

4

Enable DKIM signing

Wait for DNS propagation (up to 48 hours, usually much faster), then return to the Google Admin console and click "Start authentication." Google will verify the DNS record and begin signing outgoing emails.

💡

Don't forget to start authentication. A common mistake is adding the DNS record but not clicking "Start authentication" in the Admin console. Until you do this, Google won't sign your outgoing emails.

Set up DKIM: Microsoft 365

Microsoft 365 uses a CNAME-based approach that allows automatic key rotation. Follow these steps to enable DKIM:

1

Add CNAME records to your DNS

Add two CNAME records that point to Microsoft's DKIM infrastructure. Replace yourdomain-com with your domain (dots replaced with dashes) and yourtenantname with your Microsoft 365 tenant name.

Host: selector1._domainkey
Type: CNAME
Value: selector1-yourdomain-com._domainkey.yourtenantname.onmicrosoft.com

Host: selector2._domainkey
Type: CNAME
Value: selector2-yourdomain-com._domainkey.yourtenantname.onmicrosoft.com

2

Enable DKIM in Microsoft 365 Defender

Go to the Microsoft 365 Defender portal (security.microsoft.com) → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM.

3

Toggle DKIM signing on

Select your domain and toggle "Sign messages for this domain with DKIM signatures" to enabled. Microsoft will verify the CNAME records and begin signing.

💡

Microsoft handles key rotation automatically. Because the CNAME records point to Microsoft's infrastructure, they can rotate the underlying DKIM keys without requiring you to update DNS records. This is a significant advantage over TXT-based DKIM setups.

Set up DKIM: Generic / custom mail server

If you run your own mail server (Postfix, Exim, etc.) or use a provider not covered above, you'll need to generate a DKIM key pair manually and configure your server to sign outgoing emails.

1

Generate a DKIM key pair

Use OpenDKIM (or a similar tool) to generate a 2048-bit RSA key pair. The -s flag sets the selector name and -d sets the domain:

opendkim-genkey -s mail -d example.com -b 2048

This creates two files: mail.private (the private key for your server) and mail.txt (the DNS record to publish).

2

Publish the public key in DNS

Add the contents of the generated .txt file as a TXT record in your domain's DNS. The record should be at mail._domainkey.example.com (or whatever selector name you chose):

Host: mail._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

3

Configure your mail server to sign emails

Install and configure OpenDKIM (or an equivalent milter) on your mail server. Point it to the private key file and configure your MTA (e.g., Postfix) to use it as a mail filter for outgoing messages.

4

Test and verify

Send a test email and check the headers (as described above) to confirm that emails are being signed and that DKIM verification passes.

⚠️

Secure your private key. The private key file should have restricted permissions (e.g., chmod 600) and be readable only by the mail server process. Never share, email, or commit private keys to version control. If compromised, attackers can forge DKIM-signed emails from your domain.

How to verify DKIM is working

After setting up DKIM, verify that your configuration is correct by testing the DNS record and sending a test email.

Query the DNS record directly

Use dig (Linux/macOS) or nslookup (Windows) to verify that your DKIM public key is published:

# For a TXT record (e.g., Google Workspace with selector "google"):
dig TXT google._domainkey.example.com +short

# For a CNAME record (e.g., Microsoft 365):
dig CNAME selector1._domainkey.example.com +short

On Windows:

nslookup -type=TXT google._domainkey.example.com
nslookup -type=CNAME selector1._domainkey.example.com

A successful response for a TXT record will contain v=DKIM1 and a p= tag with the public key data. A successful CNAME response will show the target hostname of your provider's DKIM infrastructure.

Send a test email and check headers

1

Send an email from your domain

Send a test email to a Gmail, Outlook, or Yahoo account. These providers include detailed authentication results in the email headers.

2

View headers and check for dkim=pass

Open the email, view the original/raw headers, and look for the Authentication-Results header. You should see:

Authentication-Results: mx.google.com;
    dkim=pass [email protected] header.s=google header.b=AuUoFEfD;

If you see dkim=pass, your DKIM configuration is working correctly. If you see dkim=fail or dkim=neutral, there may be a mismatch between the DNS record and the signing configuration on your mail server.

💡

Also set up SPF and DMARC. DKIM works best alongside SPF and DMARC. SPF verifies that emails come from authorized IP addresses, while DMARC ties both protocols together and tells receivers what to do when authentication fails.

Example DKIM DNS records

Here are example DKIM DNS records for the most common setups. Replace the public key data with the actual key provided by your email service or generated by your key tool.

Google Workspace (TXT record)

Host: google._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
       dG1wFmxMxRVaKSPGCqiX2GtMD20sMYHkfSGBSbFhJNLB
       jf9KpO7JMmqKXYGMETtYC...

Microsoft 365 (CNAME records)

Host: selector1._domainkey.example.com
Type: CNAME
Value: selector1-example-com._domainkey.contoso.onmicrosoft.com

Host: selector2._domainkey.example.com
Type: CNAME
Value: selector2-example-com._domainkey.contoso.onmicrosoft.com

SendGrid (CNAME records)

Host: s1._domainkey.example.com
Type: CNAME
Value: s1.domainkey.u12345.wl.sendgrid.net

Host: s2._domainkey.example.com
Type: CNAME
Value: s2.domainkey.u12345.wl.sendgrid.net

Mailchimp / Mandrill (CNAME record)

Host: k1._domainkey.example.com
Type: CNAME
Value: dkim.mcsv.net

Custom mail server / OpenDKIM (TXT record)

Host: mail._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
       xYz123abc456def789ghi012jkl345mno678pqr901stu
       234vwx567yzABC890DEF...

⚠️

Don't copy these example keys. The public key values shown above are placeholders. You must use the actual public key generated by your email provider or key generation tool. Using someone else's public key will cause DKIM verification to fail on every email.

For a comprehensive overview of DKIM, including how the protocol works, DKIM-Signature header tags, and common mistakes to avoid, see our complete DKIM guide.

Set up DKIM and monitor your email security

Domain Guarddog continuously monitors your domain's DKIM, SPF, and DMARC configuration and alerts you when something changes or needs attention.

Get Started Free

On this page