DKIM TXT DNS record mail._domainkey exists but says it doesn't

Posted April 23, 2017 7.7k views

I followed the excellent article: to set up DKIM on my server. I created the two TXT records exactly as required. My domain is called However the authentication check using a test email to: returns the following in the DKIM section stating that doesn’t exist (see below), when it does. Having read as many blog articles as I could find about this I have ensured the text is in quotes and I am sure it is not a propagation issue as I used (and other similar online tools) to check for which was found as a TXT record ok.

Also I note in the report below, it reports the DNS record as TXT (NXDOMAIN) - whatever that means.

No idea what to do next. Can someone please help?


DKIM check details:

Result: permerror (key “” doesn’t exist)
ID(s) verified:
Canonicalized Headers:‘0D’'0A’

Canonicalized Body:

DNS record(s): TXT (NXDOMAIN)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25’s PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer


When using MXToolbox, I was able to verify the DKIM entry easily. I’m seeing the following:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfWHolALh8Kohz+hSyWWRArUQJbo+lDAKKIUIQ39s3V/AQOO4IcihyF7s8ZFl936NcF6wcpEHXzvnYt5g19+s0VtY8Hc+CM8+a3AC4nz1QuGeitzNDp8f/mNkjZA33k3cnMFj5286Aej/YYsMzMsUQbRzXgYk9MKphJEBAIpYc2wIDAQAB

It is possible that at the time of checking, the DNS entry hadn’t fully propagated, thus when they did a check, it failed. On my end, as of this reply, it’s showing up and appears valid.

  • Thanks. It was a propagation issue and all works now. The problem was that MXToolbox did find the key yesterday but clearly wherever is, the propagation had not reached there! I was also fooled as I set up a new url under the same domain (new A record) and I could see it after a few minutes. I suppose that someone in the US or Europe would not have been able to.

    The moral of the story is that you really do need to wait 24 hours or more for full propagation!

    Incidentally, my question was marked as spam for some reason by the DO Community - I would love to know why. It was only “unspammed” after I raised a support ticket.

    This question of spam is a real pain - for example my automated emails from the domain I just amended are STILL going into spam in gmail accounts even though the verification shows spf=pass and dkim=pass. What do you have to do get into gmail?? Funnily enough, loads of real spam seems to get through. So explain that.

    My only solution for a new app I developed is to get all users to mark messages from my domain as “not spam” from Day 1.