Does your domain publish a DKIM public key so receiving servers can verify your emails?
Checks that you publish the cryptographic key that lets mail servers confirm your emails really came from you.
What this signal tests
DKIM, or DomainKeys Identified Mail, adds a digital signature to every email your domain sends. The signature is created with a private key on the sending server and verified with a matching public key you publish in DNS. We look up DNS records at common selectors used by major email providers and confirm at least one selector returns a valid DKIM key with the standard v=DKIM1 prefix and a non-empty p= public key.
Why it matters for your visibility in AI
DKIM is the second pillar of modern email authentication, alongside SPF and DMARC. Without it, DMARC cannot enforce anything meaningful and BIMI brand-logo display is impossible. AI systems that score publishers on brand trust treat the full DKIM-SPF-DMARC stack as a single signal: if any leg is missing, the whole signal collapses. The consequence is concrete. Mail you send is more likely to be flagged as suspicious by Gmail, Outlook, and Apple Mail. The reputation databases that feed those filters also feed AI retrieval pipelines, so your domain appears less authoritative when an LLM is deciding which sources to cite. A working DKIM key is among the cheapest credibility upgrades available, since most email providers will generate the keypair for you.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| At least one selector returns valid DKIM1 record. |
How we test it
We query DNS at a small set of common selector locations such as google._domainkey, selector1._domainkey, k1._domainkey, and a handful of others used by mainstream providers. For each match we confirm the record begins with v=DKIM1 and contains a non-empty p= field. The lookup is plain DNS and we do not send or read any email; we only check that the public key is published correctly.
Show technical detection method
DNS TXT at selector._domainkey.{domain}; validate v=DKIM1 + non-empty p=.
If your site fails: how to fix it
- Identify your primary email provider (Google Workspace, Microsoft 365, Zoho, Fastmail) and any marketing or transactional providers (Mailchimp, Resend, SendGrid, Postmark, Mailgun). Each one wants its own DKIM key.
- In each provider's admin console, find the DKIM or domain authentication section. The provider will give you a selector name and one or more TXT records to publish at selector._domainkey.yourdomain.com.
- Open your DNS console at your registrar (Cloudflare, GoDaddy, Namecheap, Route 53, etc.) and add each DKIM TXT record exactly as the provider supplied. Some providers use a CNAME instead of a TXT record; either is valid.
- After publishing, return to the provider's admin console and click the verify or activate button. The provider will check that the record is reachable and start signing outbound mail.
- Wait a few minutes for DNS to propagate, then test by sending a message to a Gmail address and viewing the original headers; you should see DKIM=pass. Re-run the AI Ready Test scan.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | medium |
| Category | Trust & Provenance |
Primary sources
Related signals
Frequently asked questions
Will I need IT help to fix this?
Usually no. Email providers generate the keypair and provide the exact DNS values; you only need to paste them into your DNS console. If you use multiple senders, you publish one key per sender, but the workflow is the same each time.
What if my email is hosted by Google Workspace or Microsoft 365 - is this already done for me?
No. Both providers can sign your outbound mail with DKIM, but neither publishes the DNS record on your behalf. You must enable DKIM in their admin console and add the resulting record to your DNS. Until you do, mail still leaves their servers unsigned by your domain.
Does this affect my email deliverability too?
Yes, materially. DKIM signing is required for DMARC enforcement, which Gmail and Yahoo now require for bulk senders. Without DKIM your legitimate mail is more likely to land in spam, and your overall sender reputation is weaker.
How long until the change propagates?
DNS publication is typically within a few minutes on modern providers. After publication, the email provider needs to detect the key (usually under an hour) before it starts signing. Once signing begins, every new message carries the signature.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.