trustyourinbox
← All articles

DKIM selector stopped resolving — what to check

We saw a DKIM selector at `<selector>._domainkey.<your-domain>` for a while, then it stopped returning a record. If your sender is still signing with that selector, every message will fail DKIM alignment. Here's how to tell what happened and fix it before deliverability drops.

What "stopped resolving" actually means

DKIM selectors live as TXT records in DNS. We auto-scan published selectors and track when they were last seen. When a selector that was previously returning a valid v=DKIM1; ... p=... record stops returning anything, that's an expired-selector signal.

It's distinct from revocation (where the record exists but with an empty p=) and from never-published (where we never saw it). This one is "was there, isn't anymore."

The three usual causes

  1. In-progress rotation. You're moving from one DKIM key to another. The new selector got published but the old one was deleted before the sender stopped using it. In-flight mail signed with the old key fails. If you can confirm your sender (ESP, marketing platform) has switched to the new selector AND there's no risk of cached signatures from the old one, you can ignore this safely. If you can't confirm both, republish the old key temporarily until the rotation is fully cut over.
  2. Manual delete. Someone deleted the record on purpose (cleanup of an unused vendor, ESP cancellation, mistaken cleanup). If the sender associated with this selector is still active in your stack, you need to either republish the original key OR have the sender stop signing.
  3. DNS provider hiccup. Rare, but happens — a flaky authoritative nameserver can transiently fail to return records. We re-scan daily; if the record reappears within ~24h, this was the cause and you can dismiss the alert.

How to figure out which one applies

Check these in order:

  • Open your DNS provider and look for any TXT record at <selector>._domainkey.<your-domain>. Is it there? (Sometimes the record exists but our scanner timed out — refreshing usually confirms.)
  • If it's not there: do you remember deleting it? Check your DNS provider's activity log if available.
  • Open your sender's (ESP, marketing platform) DKIM settings. Are they using this selector or a different one? If they switched, this is a rotation in progress and the warning will clear once enough time has passed without any mail signed by the old selector.
  • If the sender is still using this selector AND the record is gone, you need to republish — get the public key from your ESP's settings panel and put it back as a TXT record.

Why we don't auto-fix this

We don't have the public key — the customer (or their ESP) does. Without it, we can't republish. For DKIM publishing where you DO have the key, see the DKIM tab — there's a "publish pinned selector" flow where you paste the key and we handle the DNS side.

Stop guessing — start monitoring.

Free for 1 domain. Set up in 5 minutes. We handle the report parsing, you read plain-English summaries.

Run a free audit