DKIM Record Not Found: Causes, Diagnosis, and Fixes
Fix the 'DKIM record not found' error. Learn why DKIM DNS lookups fail, how to diagnose missing records, and step-by-step fixes for common causes.
Last updated: 2026-05-29
The "DKIM record not found" error means a receiving mail server tried to look up your DKIM public key in DNS and came up empty. Without that key, your emails can't be authenticated, which hurts deliverability and may cause messages to land in spam. The good news is that this error almost always comes down to a small configuration mistake that's easy to fix once you know where to look.
Browse all Troubleshooting guides.
How DKIM DNS Lookups Work
When an email arrives with a DKIM signature, the receiving server reads two values from the signature header: the selector (s=) and the domain (d=), as specified in RFC 6376 Section 3.6.2.1. It combines them into a DNS TXT record query following this pattern:
{selector}._domainkey.{domain}
For example, if the selector is google and the domain is example.com, the server looks up:
google._domainkey.example.com
If that DNS query returns nothing, you get the "DKIM record not found" error. Let's look at why that happens.
The Most Common Causes
Wrong selector name
The selector in your DNS doesn't match the one your email service actually uses when signing. Even a single character difference will cause a lookup failure.
Missing _domainkey suffix
The DNS record must include ._domainkey. between the selector and your domain. If you entered just google.example.com instead of google._domainkey.example.com, the lookup will fail.
DNS propagation delay
You just added the record, but DNS changes can take anywhere from a few minutes to 48 hours to spread across the internet. During this window, some servers will see the record and others won't.
Wrong DNS provider or nameservers
Your domain might point to one DNS provider, but you added the DKIM record at a different one. If your nameservers point to Cloudflare but you added the record at your registrar, nobody will see it.
Record added at the wrong level
If you use a subdomain to send email (like mail.example.com), the DKIM record needs to be placed under that subdomain, not the root domain.
TXT vs. CNAME confusion
Some providers ask you to create a CNAME record that points to their DKIM key, while others need a TXT record containing the key directly. Using the wrong record type will make the lookup fail.
Check your provider's instructions first
Every email service has its own DKIM setup steps. Before troubleshooting, double-check the exact instructions from your email provider - the selector name, record type, and host value they specify must match exactly.
How to Diagnose the Problem
Before you can fix a missing DKIM record, you need to confirm what the DNS actually returns. There are two main approaches.
Using Online Lookup Tools
The simplest option is an online DKIM checker. Visit DKIM Creator and use the lookup tool to query your selector and domain. It will tell you whether a record exists and show you its contents - or confirm it's missing.
Using Command-Line Tools
If you're comfortable with a terminal, you can query DNS directly:
# On Mac or Linux
dig TXT selector._domainkey.yourdomain.com
# On Windows
nslookup -type=TXT selector._domainkey.yourdomain.com
Replace selector with your actual selector (like google, selector1, or k1) and yourdomain.com with your domain. If the response is empty or shows NXDOMAIN, the record isn't there.
Not sure what your selector is?
Open a recent email you sent, view the full headers, and look for the DKIM-Signature header. The s= value is your selector.
Step-by-Step Fixes
Verify the correct selector name
Check your email service's DKIM settings or documentation to find the exact selector they use. Compare it character-by-character with what's in your DNS. Common selectors include google for Google Workspace, selector1 for Microsoft 365, and k1 for Mailchimp.
Confirm the full DNS hostname
Make sure the DNS record is at selector._domainkey.yourdomain.com. Many DNS providers automatically append your domain, so you may only need to enter selector._domainkey as the hostname. If you entered the full domain and your provider also appended it, you could end up with selector._domainkey.yourdomain.com.yourdomain.com - which won't work.
Check which DNS provider is active
Look up your domain's nameservers to confirm which DNS provider is authoritative. You can do this with dig NS yourdomain.com or use a WHOIS lookup. Add your DKIM record at the provider those nameservers point to.
Use the correct record type
Check whether your email provider requires a TXT record or a CNAME record. Google Workspace and most self-hosted setups use TXT. Microsoft 365 and some third-party services use CNAME records that point to their own DNS. Using the wrong type will cause the lookup to fail silently.
Place the record at the right domain level
If you send email from a subdomain (like notifications.yourdomain.com), the DKIM record must be placed under that subdomain: selector._domainkey.notifications.yourdomain.com. Placing it under the root domain won't help.
Wait for DNS propagation
If you just added or changed the record, give it time. Check propagation status using a global DNS checker that queries servers in multiple regions. Most records propagate within an hour, but some DNS providers take up to 48 hours.
Quick Reference: Common Mistakes vs. Correct Setup
| Mistake | Correct Setup |
|---|---|
| Selector name `gogle` (typo) | Exact selector from provider, e.g. `google` |
| Host: `google.example.com` | Host: `google._domainkey.example.com` |
| Record added at old DNS provider | Record added at active nameserver provider |
| TXT record when CNAME is required | Record type matching provider instructions |
| Record under root domain for subdomain sender | Record under the sending subdomain |
| Checked 5 minutes after adding | Allow up to 48 hours for full propagation |
Preventing Future DKIM Lookup Failures
Once your record is in place and verified, a few habits will help you avoid this error going forward:
Document your DNS records
Keep a simple list of which selectors you use, which DNS provider hosts them, and when they were last updated. This saves hours of troubleshooting later.
Test after every change
Whenever you update DNS records, send a test email and verify DKIM passes. Don't assume the change worked.
Monitor your authentication results
Use DMARC aggregate reports or an email monitoring service to catch DKIM failures early, before they affect your deliverability.
Check your DKIM record right now
Use DKIM Creator's free lookup tool to verify your record exists and is configured correctly.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- RFC 1035 — Domain Names - Implementation and Specification
Need to generate a new DKIM key pair? Create one instantly with DKIM Creator.
Generate DKIM keys for free
Create secure 2048-bit DKIM key pairs and get the exact DNS records you need to add. No signup required.
Generate DKIM Keys