Medium severity

How to fix a missing DKIM record

Your domain has no DKIM record, which means outgoing email from your domain is not cryptographically signed. Without DKIM, receiving servers cannot verify the message came from where it claims. DKIM setup is specific to your email provider — Resend, Postmark, Google Workspace, etc. all give you the exact DNS records to add. The fix is to enable DKIM in your provider's dashboard and paste their TXT records into your DNS.

Why it matters

DKIM is the cryptographic part of email authentication. SPF says which IPs can send. DMARC says what to do on failure. DKIM is what proves the message body was not altered in transit. All three work together.

How to check

  1. 01DKIM selectors vary by provider. Common: `google._domainkey`, `resend._domainkey`, `postmark._domainkey`, `mandrill._domainkey`.
  2. 02Run `dig TXT google._domainkey.your-domain.com +short` (and variations) to find which, if any, exist.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Via your email provider

Open your email provider's dashboard → Domain verification → DKIM. Copy the TXT record(s) they show and add to your DNS.

Example DKIM record

Provider gives you the exact selector and value.

Type: TXT
Host: resend._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Set up DKIM for my domain. First, check my code for which email service I use (resend, postmark, sendgrid, mailgun, google, aws-ses). Tell me where in that provider I find the DKIM records, then tell me exactly what DNS entries to add. After adding, tell me how to verify with `dig`.

FAQ

Frequently asked questions

I use multiple email services. Do I add DKIM for each?
Yes. DKIM selectors are per-service. Each one gets its own TXT record at a unique selector.
Does DKIM affect email deliverability?
Strongly. Gmail and Yahoo penalize unsigned bulk email. With DKIM + SPF + DMARC correctly set, your deliverability improves dramatically.

Related fix guides

Fix these too

Missing SPF record

Without SPF, anyone can send email that looks like it came from your domain. Here is the one DNS record you need to stop that.

Read more

Missing DMARC record

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM — quarantine, reject, or nothing. Here is how to set it up.

Read more

Learn the concepts

Glossary

DomainKeys Identified Mail

DKIM is a digital signature on outgoing email, letting receivers verify it came from you and was not tampered with.

Read more

Sender Policy Framework

SPF is a DNS record listing which IP addresses are allowed to send email from your domain. The first line of email authentication.

Read more

Domain-based Message Authentication, Reporting & Conformance

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM checks. The single most important email security record.

Read more

Free tools

Check this yourself

Email security checker

Can someone spoof email from your domain? Check in 10 seconds.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.