Troubleshooting DomainKey/DKIM Issues

If you encounter an issue with the DomainKey/DKIM, please follow the below troubleshooting steps.

  1. Make sure the private key is being loaded. If there is any problem loading the private key, you will see an alert in the MTA with a description of the problem. This error data will also be placed in the system.log file in the main log directory.

  2. Since DKIM/Domainkeys are set up in the account settings, make sure you have the DKIM/DomainKey set up for the account you are sending from. Sending from a different account will definitely yield an unsigned outbound message.

  3. In order for the outbound message to be signed, the From address or Sender header must match the DKIM/DomainKey domain. If the Sender header is present, that is what will be used. Otherwise, it will use the From domain.

  4. Once you have completed the above steps you can look at the final outbound message's header and see the DomainKey/ DKIM-Signature: header. Once you see this header you know the MTA is set up correctly and is signing the outbound message.

  5. To check to see if the header is valid you can send a test message to and it will reply with the validity of the key. If for some reason this reflector is not working for you, then you can send an outbound message to a or address. If the signature is valid, you will see a header message added, similar to the one below.

Authentication-Results:; domainkeys=neutral (no sig);;
dkim=pass (ok)