trustyourinbox
← All articles

Removing a revoked DKIM selector

If we flagged a DKIM selector as revoked, it means the TXT record at that selector exists but its `p=` field is empty. RFC 6376 §3.6.1 treats that as 'this key has been revoked, do not validate against it.' Receivers see the record, see the empty key, and fail signatures. Here's what to do.

What revocation actually signals

DKIM TXT records carry a public key in the p= tag. The full record looks something like v=DKIM1; k=rsa; p=MIGfMA0.... When the p= value is empty (just p= with nothing after it, orp=;), RFC 6376 says this is the operator declaring the selector retired — receivers should not verify against it.

The intent is to make rotations cleanly observable. Old selectors don't just vanish from cache; they get explicitly marked dead so receivers know.

Why this is a problem if it's still published

A revoked selector that's still in DNS isn't just informational — receivers will actively fail signatures from it. If you rotated DKIM keys but left the old selector behind in revoked state, AND your sender is somehow still signing with the old selector (cached configs, stale ESP setup), every message ends up DKIM-fail. Your alignment % drops without a clear cause.

Even if your sender isn't using the old selector, a revoked record is noise. It suggests "this domain doesn't keep its DKIM tidy" to receivers and to anyone auditing your DNS.

How to fix it

The fix is one of two things:

  1. If the rotation is complete — the new selector is signing your mail and the old one is no longer used — delete the old TXT record entirely. Don't leave a revoked stub. Find the record at <old-selector>._domainkey.<your-domain> in your DNS provider and remove it.
  2. If the rotation is in progress — you intended to revoke but the new selector isn't fully published yet — republish the old keytemporarily so signatures from in-flight mail still verify. You probably have the public key in your ESP's DKIM settings panel; copy it back into the TXT value as p=<the-base64-string>.

Verifying the fix

After you change the DNS record, run a fresh DKIM scan from the DKIM tab. The check will re-resolve the record and clear the warning. Allow a couple of minutes for DNS propagation if you're behind a slow resolver chain.

Why we don't auto-fix this

We don't currently offer one-click revocation cleanup because deleting the TXT record is a destructive op — if the record was revoked deliberately as part of a rotation, we'd be undoing that signal. Better to surface the warning and let you delete via your DNS provider with full context.

For DKIM rotations going forward, see Why 1024-bit DKIM keys are being phased out for the recommended rotation playbook.

Stop guessing — start monitoring.

Free for 1 domain. Set up in 5 minutes. We handle the report parsing, you read plain-English summaries.

Run a free audit