Testing DKIM Before Go-Live: Pre-Production Checklist
How to test your DKIM setup before going live. Pre-production checklist covering DNS verification, test emails, header analysis, and DMARC readiness.
Last updated: 2026-06-06
You have generated your DKIM keys, added the DNS record, and configured your mail server. Before you flip the switch and start signing every outgoing email, take thirty minutes to verify everything works. A small mistake caught now saves you from deliverability headaches later.
Browse all Security guides.
If you still need to generate keys, start with DKIM Creator - it creates key pairs in your browser with nothing to install.
Step 1: Verify Your DNS Record Is Live
The most common reason DKIM fails on launch day is that the DNS record has not propagated or contains a typo. Confirm it exists and looks correct before doing anything else.
Check with a command-line tool
If you are comfortable with a terminal, run one of these commands (replace selector and yourdomain.com with your values):
dig TXT selector._domainkey.yourdomain.com +short
or on Windows:
nslookup -type=TXT selector._domainkey.yourdomain.com
You should see a response that starts with v=DKIM1; followed by your public key.
Use an online lookup tool
If you prefer a browser-based check, visit dkimtest.com and enter your domain and selector. The tool will query DNS and tell you whether your record was found and whether it is valid.
Compare the key
Make sure the public key in DNS matches the key you generated. Even a single missing character will cause every signature to fail.
DNS changes can take up to 48 hours to propagate, though most complete within one to two hours. If the record is not showing up yet, wait and check again before troubleshooting further.
Step 2: Use the Testing Flag
DKIM supports a t=y flag in the DNS record that tells receiving servers your key is in testing mode, as defined in RFC 6376 Section 3.6.1. While the flag does not change how signatures are verified, it signals to receivers that failures should not be treated harshly.
Add t=y to your record before launch:
v=DKIM1; k=rsa; t=y; p=MIIBIjAN...
Once you have confirmed everything works, remove the t=y flag so receivers treat your signatures as production-ready.
Step 3: Send Test Emails to Verification Services
Rather than guessing whether your signatures pass, send a test email to a service that analyzes authentication headers for you.
| Service | What It Tells You |
|---|---|
| **Gmail (Show Original)** | Displays `dkim=pass` or `dkim=fail` in Authentication-Results |
| **mail-tester.com** | Scores your email and highlights DKIM, SPF, and DMARC results |
| **dkimtest.com** | Provides a unique address to send to and returns a detailed DKIM report |
Send at least one test message and confirm you see dkim=pass before moving on.
Need to generate or regenerate keys?
DKIM Creator builds your key pair in seconds - entirely in your browser.
Step 4: Read the Authentication-Results Header
Every email you receive includes an Authentication-Results header added by the receiving server. Learning to read it takes a minute and saves hours of guessing.
Look for a line like this:
Authentication-Results: mx.google.com;
dkim=pass header.d=yourdomain.com header.s=selector
Key things to check:
- dkim=pass means the signature was verified successfully.
- header.d= should match your sending domain.
- header.s= should match the selector you configured.
If you see dkim=fail, the header often includes a reason such as "body hash did not verify" or "key not found", which points you to the fix. For a full list of failure types, see common DKIM errors.
Step 5: Check DKIM Alignment for DMARC
DMARC requires that the domain in your DKIM signature (d= tag) aligns with the domain in the From header, as specified in RFC 6376 Section 3.5. Even if DKIM passes, a misaligned domain means DMARC will not count it.
| Scenario | DKIM Result | DMARC Alignment |
|---|---|---|
| From: [email protected], d=yourdomain.com | Pass | Aligned |
| From: [email protected], d=mail.yourdomain.com | Pass | Aligned (relaxed mode) |
| From: [email protected], d=otherdomain.com | Pass | Not aligned |
If you plan to enforce DMARC (and you should), verify alignment now rather than discovering the gap after go-live.
Step 6: Test Across Multiple Providers
Do not test with only one mailbox. Different providers handle DKIM in slightly different ways, and a problem that hides in Gmail may surface in Outlook or Yahoo.
Send a test email to each of these and confirm dkim=pass:
- Gmail - Check via "Show original"
- Outlook / Microsoft 365 - Check via "View message source"
- Yahoo Mail - Check via "View raw message"
If DKIM passes at all three, you can be confident your setup is solid.
Common Pre-Launch Mistakes
Before you declare victory, double-check these frequent pitfalls:
- Selector typo in DNS - The hostname must be exactly
selector._domainkey, including the underscore and period. - Key pair mismatch - The private key on your server and the public key in DNS must come from the same generation step.
- Truncated TXT record - Some DNS providers silently cut long records. Verify the full base64 string is present.
- Signing not enabled - You added the DNS record but never turned on signing in your mail server or provider dashboard.
- Testing from the wrong server - Make sure you send test emails from the same server or service that will handle production sending.
Go-Live Checklist
Use this as your final sign-off before removing the t=y flag and going live:
DNS record resolves correctly
Confirmed via command-line tool or online lookup.
Test email shows dkim=pass
At least one verification service confirms a passing signature.
Headers show correct domain and selector
The d= and s= values in Authentication-Results match your configuration.
DKIM alignment passes for DMARC
The signing domain aligns with the From header domain.
Multiple providers tested
Gmail, Outlook, and Yahoo all return dkim=pass.
Remove the t=y flag
Update your DNS record to remove testing mode.
Post-Launch Monitoring
Going live is not the end of the process. Keep an eye on things for the first few weeks:
- Review DMARC aggregate reports for any DKIM failures you did not catch during testing.
- Watch your bounce rate - a sudden spike may point to a signing issue.
- Re-test after any DNS or mail server changes to catch regressions early.
- Plan key rotation - schedule a reminder to rotate your DKIM keys at least once a year.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
Take the guesswork out of DKIM. Generate your keys, test before you launch, and go live with confidence.
Generate DKIM keys
Create a secure key pair in seconds. Browser-based, free, no account required.
Create Your Keys