Introduction
DKIM is the more durable half of email authentication, but it has its own operational problems. This article catalogs the six MSPs see most often and the fix for each.
Why this topic matters
Most DKIM-related support tickets fall into a small set of recurring patterns. Knowing each by name compresses diagnosis from hours to minutes.
Problem 1: Default platform DKIM (signing with vendor domain)
Symptom: Aggregate reports show dkim=pass but the signing domain is the platform's, not your client's. DMARC fails on alignment.
Fix: Enable custom DKIM at the platform. Most major SaaS senders support this; check the platform's docs.
Problem 2: Selector confusion
Symptom: Sender claims DKIM is enabled, but verification fails. Selector in the DKIM-Signature header doesn't match what's in DNS.
Fix: Verify the selector with dig +short TXT <selector>._domainkey.<domain>. Mismatched or missing public keys are the issue.
Problem 3: Key too short
Symptom: Receiver downgrades or flags messages signed with 1024-bit keys.
Fix: Generate 2048-bit RSA keys. Rotate any 1024-bit selectors.
Problem 4: TXT record format
Symptom: DNS shows the record but verification fails. Often related to quoting or string concatenation.
Fix: Some DNS providers handle multi-string TXT awkwardly. Use a checker to validate; re-publish if needed.
Problem 5: Forwarder breaking signature
Symptom: DKIM fails on mailing-list or forwarded mail despite being valid at origin.
Fix: Either accept the failure (DMARC will pass via SPF for some messages) or work with the forwarder to enable DKIM re-signing.
Problem 6: Key not rotated for years
Symptom: Compliance audit flags stale keys; security review questions key age.
Fix: Annual rotation. Use the dual-publish pattern to avoid downtime.
Step-by-step approach for any DKIM issue
- Identify the sender from the source IP in aggregate reports.
- Verify the DKIM-Signature header in a test message.
- Look up the public key at the claimed selector.
- Map to one of the six problems above.
- Apply the named fix.
Best practices
- Distinct selector per sender platform.
- 2048-bit minimum.
- Annual rotation calendar.
- Custom DKIM at every supported SaaS sender.
- Document selectors and rotation history per client.
Recommended next step
Audit your client base for the six problems. Most have at least one. Each is a 30-minute fix.
FAQ
Should I use 4096-bit keys?
Not necessary; 2048 is current standard. Larger keys can run into DNS TXT length issues at some providers.
What's the average lifespan of a DKIM key?
Annual rotation is the recommended practice. Many keys live longer than that, increasing risk slowly.
Can I share one DKIM key across multiple senders?
Don't. Each sender should have its own selector and key.
How do I rotate keys for a sender I don't control?
Most SaaS platforms have a key-rotation flow. Trigger it from the platform's admin UI.
What about hybrid sending (on-prem + cloud)?
Each environment should sign with its own selector, separate from cloud's.
Final thoughts
DKIM management is mostly about pattern recognition. The six problems above account for nearly every issue MSPs see. Catalog them, train the team, and DKIM operational work stays manageable.