Introduction

DKIM often fails after an email-provider switch because the domain is still signing with the old service, publishing the wrong selectors, or routing mail through a sender you did not account for during cutover. A green dashboard alone is not enough. You need to confirm which platform is sending the message, which selector it expects, and whether the published DNS record matches the signer on the live message.

Symptoms

  • Messages show dkim=fail after moving to a new email provider
  • New provider onboarding is complete, but recipients still see authentication warnings
  • Only some messages fail because different tools or apps send through different paths
  • Old DKIM selectors remain in DNS next to the new provider's records
  • Delivery drops or spam placement gets worse after the provider change

Common Causes

  • The new provider's DKIM selector CNAME or TXT records were never published
  • Mail is still being sent through the previous provider or another relay
  • DNS propagation leaves some receivers seeing old selector answers
  • The selector name is correct, but the record target or public key value is wrong
  • Old provider records were removed too early while some systems still used that sender

Step-by-Step Fix

  1. Capture the full headers from a live failing message so you can see which DKIM selector and sending path are actually in use.
  2. Verify whether the message was sent through the new provider, the old provider, or a third-party application using a separate relay.
  3. Compare the selector in the message headers with the selector records currently published in DNS.
  4. Recreate the exact DKIM records required by the active provider and confirm the hostname, target, or public key value is correct.
  5. Check authoritative DNS answers directly to confirm the selector record exists in the live zone, not only in the control panel.
  6. Keep old provider DKIM records only if a real sender still depends on them during transition, then remove them after cutover is complete.
  7. Retest with a fresh message from each important sending path, including apps, forms, and mailbox clients, because one successful mailbox test does not prove every sender is fixed.
  8. Review SPF and DMARC alignment after DKIM passes so the full domain-authentication chain is consistent on production traffic.
  9. Maintain an inventory of selectors and sending platforms so future provider switches do not break authentication in the middle of delivery.