If DMARC reports show dkim=none or dkim=fail, mail is going out unsigned or with a
broken signature. Here’s how to find which.
1. Confirm a key is actually published
Run the checker with your selector, or query
<selector>._domainkey.yourdomain.com directly. No record means DKIM isn’t set up for that
selector. Common selectors: google (Workspace), selector1/selector2 (Microsoft 365),
k1 (Mailchimp), dkim.
2. Wrong selector
dkim=none usually means your provider signs with a different selector than the one
published. Check the provider’s DKIM settings for the exact selector and publish that record.
3. Revoked or empty key
If the record exists but p= is empty, the key was revoked. Re-publish the public key
from your provider. Our checker flags this as a hard fail.
4. Key too short
1024-bit keys are weak and increasingly distrusted. If the checker warns about key length, rotate to a 2048-bit key in your provider’s DKIM settings.
5. Body altered in transit
A mailing list or gateway that modifies the message body breaks the existing signature
(dkim=fail). For lists, this is expected — rely on DMARC alignment via SPF instead, or use
ARC-aware forwarding.
Verify a real message with the header analyzer: the
Authentication-Results line should read dkim=pass with a d= domain matching your From.