DKIM Failing After Migration?
Check your DKIM selectors and verify keys are correctly published in DNS.
Probes 15+ common selectors
Common DKIM Selectors by Provider
| Provider | Selector(s) |
|---|---|
| Google Workspace | |
| Microsoft 365 | selector1, selector2 |
| Mailchimp | k1 |
| SendGrid | s1, s2 |
| Amazon SES | varies (CNAME-based) |
| Postmark | varies per account |
| Zoho | zoho, zmail |
| Fastmail | fm1, fm2, fm3 |
Why DKIM Fails After Email Migration
New DKIM keys not added to DNS
Your new email provider generates DKIM keys, but you need to publish the public key in DNS. Check your provider's admin console for the TXT record to add at selector._domainkey.yourdomain.com.
Old selector still in DNS, new one missing
You may have the old provider's DKIM record (e.g., google._domainkey) but the new provider uses a different selector (e.g., selector1._domainkey). Add the new selector without removing the old one until migration is complete.
Signing domain mismatch
The new provider might sign with their domain instead of yours by default. Configure custom DKIM to sign with d=yourdomain.com for proper DMARC alignment.
DNS propagation delay
DNS changes can take 1-48 hours to propagate globally. If you just added the DKIM record, wait and test again. Use low TTL values during migration.
CNAME vs TXT record confusion
Some providers (like Amazon SES) use CNAME records for DKIM instead of TXT. Make sure you're adding the correct record type as specified by your provider.
Key format or encoding errors
DKIM public keys must be properly formatted. Watch for extra spaces, line breaks, or missing "p=" prefix. Copy the exact value from your provider's console.
DKIM Migration Checklist
Get DKIM keys from new provider
Find the selector name and public key in your new provider's admin console.
Add new DKIM record to DNS
Create TXT record at selector._domainkey.yourdomain.com with the public key.
Keep old DKIM record temporarily
Don't remove old provider's DKIM until all mail is flowing through new provider.
Verify DNS propagation
Wait 1-48 hours and test DKIM lookup to confirm record is visible globally.
Enable DKIM signing in new provider
Some providers require you to explicitly enable DKIM after adding DNS records.
Send test email and check headers
Send to Gmail and check "Show original" for DKIM=pass with your domain.
Remove old DKIM record
After confirming new DKIM works, remove the old provider's selector from DNS.
Frequently Asked Questions
Why is DKIM failing after migration?
Common causes: old DKIM selector still in DNS but new provider uses different selector, new DKIM keys not added to DNS, signing domain changed, or DNS propagation not complete.
How do I find my new DKIM selector?
Check your new email provider's admin console for DKIM settings. Common selectors: 'google' for Google Workspace, 'selector1/selector2' for Microsoft 365, 'k1' for Mailchimp, 's1/s2' for SendGrid.
How long does DKIM DNS propagation take?
DKIM DNS records typically propagate within 1-48 hours depending on TTL settings. Use a low TTL (300-600 seconds) during migration for faster updates.
Monitor DKIM After Migration
Create a free account to monitor DKIM status, get alerts on failures, and track key rotation.
Start Free Monitoring