How to fix “dkim=none” from all

Message headers show “dkim=none” or “dkim=fail” for mail from a tool you pay for.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

The service isn't signing with your domain — either domain authentication was never completed in its settings, or the DNS records it asked for were never added, or a key rotated.

How to fix it

Step 1. Open the service's settings and look for “domain authentication”, “sender domain” or “DKIM”.
Step 2. Add the CNAME/TXT records it generates to your DNS exactly as shown.
Step 3. Verify inside the service (most have a Verify button), then send a test and re-check headers.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →