Invalid DKIM Record

Severity: Critical

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sender to digitally sign outgoing emails. The sending mail server adds a cryptographic signature to the email header, and the receiving server verifies it using a public key published in the sender's DNS records.

Here's how it works:

1. When your mail server sends an email, it signs parts of the message (headers, body) with a private key
2. The signature is added to the email as a DKIM-Signature header
3. The receiving server extracts the selector and domain from the signature
4. It looks up the DKIM public key at {selector}._domainkey.{domain} in DNS
5. It uses the public key to verify the signature matches the email content

A DKIM DNS record looks something like:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...

Why this is a problem

An invalid DKIM record means the record has syntax errors, a malformed public key, or missing required fields. This causes:

• DKIM signature verification to fail for all emails using this selector
• Emails may be rejected or sent to spam by receiving servers
• DMARC policies that rely on DKIM alignment will also fail
• Your domain's email reputation may be negatively affected

What you should do

• Verify the record starts with v=DKIM1
• Check that the p= tag contains a valid base64-encoded public key with no line breaks or extra spaces
• Ensure the k= tag (if present) specifies a supported key type (usually rsa)
• Regenerate the DKIM key pair if the public key is corrupted
• Confirm the record is published at the correct DNS location: {selector}._domainkey.{yourdomain}
• Test the record using a DKIM validation tool