DKIM authentication error
DKIM is not authenticating email.
DKIM fails when the receiving server cannot find or validate the sender's public key selector for the domain that signed the message.
Failure stage
Message sent: the provider attempted to sign or authenticate mail.
Failed first: DKIM selector, public key, or provider-domain alignment does not validate.
DMARC effect: strict DMARC can reject messages when DKIM and SPF alignment are not ready.
DKIM evidence matrix
| Evidence | Likely cause | First check |
|---|---|---|
| No DKIM TXT/CNAME selector supplied | DKIM was never enabled for the provider | Generate DKIM in the active mail provider dashboard. |
| Selector belongs to old provider | Domain moved providers but DNS still has old DKIM | Replace selector records with the current provider's values. |
DKIM record pasted at root @ | Wrong DNS name | Publish at provider selector, such as selector._domainkey. |
| DKIM passes for provider mail but not WordPress SMTP | WordPress sends through a different provider | Check the SMTP plugin provider and From domain. |
| DMARC rejects with DKIM fail | Authentication not ready for strict policy | Use DMARC monitoring while fixing SPF/DKIM. |
Selector and signing examples
| Evidence | What it means | Correction pattern |
|---|---|---|
Provider says selector is google, DNS has selector1 | Wrong provider selector is published | Publish the selector issued by the active sender. |
Record exists at @ | Key is at the wrong DNS name | Move it to selector._domainkey. |
| DKIM passes for Google but fails for WordPress SMTP | WordPress sends through another provider | Enable DKIM for the SMTP provider or change sender path. |
| DNS just changed | Propagation may hide the new key from receivers | Wait for DNS TTL, then retest with the same sender. |
| DMARC rejects only third-party mail | Third-party DKIM/SPF not aligned | Add that provider's DKIM and SPF before strict DMARC. |
Bad DKIM pattern
Provider: Microsoft 365
DNS still contains:
google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=..."The old selector does not authenticate mail sent by the new provider.
Corrected DKIM pattern
Provider: Microsoft 365
DNS:
selector1._domainkey.example.com CNAME provider-generated-target
selector2._domainkey.example.com CNAME provider-generated-targetPattern to verify. The exact selector and target must come from the active sender.
What not to change yet
- Do not tighten DMARC to reject before DKIM is passing.
- Do not copy DKIM values from a blog post; provider keys are domain-specific.
- Do not assume the mailbox provider and WordPress SMTP provider are the same.
- Do not delete old selectors until you know no system still sends through that provider.
Do NOT do this
- Do not regenerate DKIM keys before checking the selector name and DNS host field.
- Do not paste a DKIM key into the SPF record or root TXT field.
- Do not assume mailbox-provider DKIM covers Brevo, Mailgun, Postmark, or WordPress SMTP.
- Do not delete old selectors while old systems may still send legitimate mail.