DKIM Page Guide
Complete walkthrough of the DKIM Management tab
DKIM Management
The DKIM Management page shows all DKIM selectors detected for your domain and their current health status. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, proving they have not been tampered with in transit.
Management Status
A badge at the top indicates whether DKIM management is active or inactive for this domain. Active means DMARC Busta is monitoring your DKIM selectors and will alert you to issues.
DKIM Keys Table
Lists all DKIM selectors detected from your DMARC reports and DNS records:
| Column | Description |
|---|---|
| Selector | The DKIM selector name (e.g., selector1, google, s1). Each email service uses its own selector. |
| Algorithm | The signing algorithm (typically RSA-SHA256). Shown when the DNS record is found. |
| Key Length | The public key size in bits (e.g., 1024, 2048). Longer keys are more secure — 2048-bit is recommended. |
| Status | Whether the DKIM DNS record is valid, missing, or has errors. |
| DNS Record | The TXT record published at selector._domainkey.yourdomain.com. |
Key Management
You can perform the following actions on DKIM selectors:
- Add Selector — manually add a known DKIM selector to monitor
- Rotate Keys — publish a new key and phase out the old one (requires a connected DNS provider)
- Remove — stop monitoring a selector that is no longer in use
DKIM Validation
DMARC Busta periodically checks that each selector's DNS record exists and contains a valid public key. If a record is missing, expired, or has syntax errors, the selector is flagged and you will be alerted. When Autopilot is active, critical DKIM issues automatically pause DMARC progression to prevent email from being rejected.
Monitoring
When Autopilot is enabled, DKIM selectors are continuously monitored for:
- DNS record removal or corruption
- Key expiration or rotation by the email service
- DKIM pass rate drops in DMARC reports
- New selectors appearing in report data
Management Modes
Managed
DMARC Busta can publish and update DKIM records via a connected DNS provider. Full lifecycle management.
Monitoring Only
DMARC Busta monitors selectors and alerts on issues, but does not modify DNS records. You manage keys in your email provider.
Tip
Most email services (Microsoft 365, Google Workspace, SendGrid, etc.) manage their own DKIM keys. DMARC Busta monitors these selectors and alerts you if keys break or go missing. You typically do not need to create DKIM keys manually unless you run your own mail server.