DKIM provides email authentication to allow a receiving mail server to check if the incoming mail is authentic for the sender domain. DKIM adds a cryptographic signature to every outgoing email enabling the receiving server to verify the same and allow email to be received.
In this case the receiving email server has not been able to match the DKIM signature which appears to be invalid, missing or outdated in the public DNS records of domain.com. Please visit DKIMvalidator.com
and verify the same by carrying out the steps therein.
- An external service for DKIM validation (for example DKIMvalidator.com) reports that DKIM is invalid because the public key is not available after DNS lookup.
- DKIM key is returned by DNS lookup but it does not match DKIM key in sender email server
There are several possible causes:
- DNS service is not adjusted properly (domain zone could not be visible for the DKIM validation service).
- Used mail domain name is not real (i.e. mydomain.com, example.com, etc...).
- DKIM related DNS resource records in the used domain zone are broken or removed.
The following conditions should be met:
If the above actions do not resolve the issue, please send us the valid DKIM check report of DKIMvalidator.com for further action.
- The real domain name should be used to send email from it.
- The domain should resolve globally to a correct IP. If different IP is detected in the global DNS search, change domain's DNS Settings.
- DKIM related DNS resource records should be inside of the domain zone.
- Disable and enable again mail signing using DKIM in cPanel.
- Wait for the DNS propagation period. The changes made will be loaded, applied and synchronized by DNS (it may take up 48 hours, but mostly faster).
- Check your sending server's DKIM configuration at DKIMvalidator.com
Why configure DKIM?
Spammers often send out emails that claim to be from authentic email senders. These emails are mostly sent with an intent to make the recipients view the email, or sometimes to collect sensitive information (passwords, email addresses etc.) from the recipients under the pretext of being a legitimate sender. Two methods that are commonly used by spammers include email spoofing and backscattering.
Email spoofing is a cheating method used by spammers to make emails appear to be sent from a legitimate domain/ email address, that does not belong to them. This is done by forging the email headers, to make it seem legit so that the recipients trust and open the emails.
Spammers follow this approach as it makes more people view the email since the sender appears to be authentic. But, sometimes, it may pose serious consequences if they try to retrieve sensitive information from the user. Spoofed emails can be detected and avoided by configuring SPF and DKIM. If DKIM is configured, the domain name identity associated with each message is validated.
If this DKIM validation fails, such emails are quarantined or rejected based on the conditions set by you when DKIM validation fails.
Spammers spoof a domain name and send emails using the tampered email address. If the recipient domain rejects the email, it will send bounce messages to the domain that was spoofed.
Consider a case where a spammer has spoofed your email address and sent spam emails to another domain. When these spam emails are sent to invalid email addresses, the recipient domain sends a bounce message to the spoofed domain. This bounce message, instead of being sent to the spammer will be sent to the spoofed domain from which the user is claiming to send the email. The spoofed domain will also be blacklisted by the recipient domain. If DKIM is configured, the authenticity of your domain can be validated and your domain blacklisting can be avoided. In case you're on the receiving end of these spam emails, DKIM can help detect the authenticity of the emails, and those emails that are not genuine will not be delivered to your mailbox.
Email spoofing and backscattering, two methods that are commonly used by spammers, can be prevented to a certain extent by configuring SPF and DKIM for your domain.
How DKIM Works
In DKIM process, a public key is published as a TXT record for the domain's DNS Manager(registrar of the domain or DNS Provider). Every outgoing email includes a unique signature generated using the private key for the particular domain. The receiving email server uses this private-public key combination to validate the email source. If there is a validation failure, the recipient server may reject the email or classify it as Spam/ Forged email, based on the server behaviour.
Enabling and using DKIM for your domain, ensures that valid emails sent using Zoho, are not classified as Spam at the recipient end.
The selector is used to identify the public DKIM Key details of the Domain. It is an attribute for the DKIM Signature and is included in the DKIM header of the email. You can use multiple selectors for a single domain in cases where you need to provide Special Signatory Controls for different sets of users.
Once you have added a selector and verified the selector, you need to make it as default and enable it for the domain. Once enabled, all the outgoing emails based on the domain will be signed by the default selector, unless the users have been associated with a different selector in the Users section.
Troubleshoot SPF/ DKIM Problems
TTL (Time To Live) is the time specified in your DNS for each change in your DNS to be effective. If you have a huge TTL value (24 hrs/ 48 hrs), then the TXT/ SPF Records might take a while to get propagated. It might take up to 12 - 24 hours for DNS changes to take effect, based on the TTL set.
The way the SPF records needs to be added often varies with different DNS Providers. Hence it is recommended to check the help pages or instruction manuals of your registrar or reach out to the support team of your DNS provider, to add the respective SPF/ DKIM records.
Typos/ Spelling Mistakes
Check if you have copy pasted the correct information from Zoho Setup pages. In case of DKIM, you need to copy the entire key displayed and provide it as a value of the TXT Record. The TXT Record name should follow the suggested naming conventions