Message headers show “dkim=none” or “dkim=fail” for mail from a tool you pay for.
Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English. Run the free check →
What this means
The service isn't signing with your domain — either domain authentication was never completed in its settings, or the DNS records it asked for were never added, or a key rotated.
How to fix it
Step 1. Open the service's settings and look for “domain authentication”, “sender domain” or “DKIM”.
Step 2. Add the CNAME/TXT records it generates to your DNS exactly as shown.
Step 3. Verify inside the service (most have a Verify button), then send a test and re-check headers.
Frequently asked
How long until fixes take effect?
DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Does this apply if I send fewer than 5,000 emails a day?
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Can I just ask my hosting provider to fix it?
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.
Don't want to babysit DNS records? DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection. Start free monitoring →