DKIM record not verified...dunno why

Trying to add a DKIM TXT record to a domain and it’s not coming back as verified…dunno what to do @fool

Added an SPF TXT record and that is working, but cannot get the DKIM to work…copied it from google verbatim, but still not verified, and don’t know what is wrong or how to fix…

site is

record looks like this:

If you can think of anything that we’re not doing, then please share :slight_smile:

Hey @arrowgtp,

You may not need to append your URL to the name: DKIM verification process keeps failing

Let me know if this helps!

I did not do that…netlify keeps adding it…

Here is what I did:

and this is what i get from netlify after I save the record:

and there is no edit button, so I can’t take that off…I don’t know what to do…

This looks correct to me, but for some reason it’s not showing when your DNS is polled.

Hi, @arrowgtp, this is what I see when I query the record currently:

$ dig TXT  +noall +answer

; <<>> DiG 9.10.6 <<>> TXT +noall +answer
;; global options: +cmd 3599 IN TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

Regarding the apex domain being appended, it will alway be appended for any DNS record for any
DNS service. Your DNS records are always relative to the apex domain (which is in this case).

Also, you are correct there is no edit button. The only way to change a DNS record currently is to delete it and recreate it.

Note, the only difference between the DNS record shown in your screenshot and the one returned when I test is that the value returned is split each 255 characters (which is part of how DNS works). There is more about this here:

Would you please test this locally with dig and/or nslookup and let us know what you find?

The output of the following would be helpful for example:

nslookup -type=TXT

Would you please post the results of that command here?

@luke Right you are. I was hitting the apex domain, not the subdomain. I see it now, as do you, so Google should be able to find this for verification.

Here is what I got from nslookup:

RN:~ rchrdnsh$ nslookup -type=TXT



Non-authoritative answer: text = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

Authoritative answers can be found from:

RN:~ rchrdnsh$

I don’t really know what I’m looking at here…so new toDNS in general and I have no knowledge about DKIM SPF and the like…

…does any of this mean that any of this is working now?

Here is a screenshot from a website that tests DKIM and SPF records…is this good now?

@arrowgtp The “nslookup” command is short for “name server lookup.” It’s roughly the equivalent of dig -t TXT.

The “-type=txt” switch specifies what specific DNS records you want to query.

Because this record is set up as a subdomain by Google, you have to query the subdomain, thus

The next two lines – the Server and the Address – simply show the source of the information to be presented.

The “answer” is the key bit. This shows the contents of the TXT DNS entry for this subdomain. It’s similar to the results from the dig command, which are: 3599 IN TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

If this string deviates in even the smallest way from what Google is expecting, they will not verify / validate your control of this domain name.

This should – actually, must – match the text string that Google gave you to complete the validation process.

So, I seem to have same problem with google apps DKIM, google._domainkey and netlify dns editor.
First dns editor I’ve seen that appends domain name automatically.
I put in: google._domainkey and netlify changes to

Google apps do not verify the setting even after 48 hours.

@henrikeh When you add google._domain key to your DNS records, you are actually adding a subdomain for Different online DNS dashboards display it differently, but the FQDN would be

As for your TXT record not showing up, I would try deleting that record and re-entering it. I’m not seeing it either, even though I’m able to see your A records and NS records.

If deletion and re-entry doesn’t fix this, someone at the Netlify mothership is going to have to step in.

It worked after removing and re-adding, but with some changes, not sure what made it.

  1. Other prefix than google (they let you edit).
  2. Shorter keylength 1024
  3. Made sure no tralining CR/LF in text entry.


1 Like


We have exactly the same problem!

Our domain is hosted on Netlify.

The TXT DNS record for the is just skipped.
The TXT DNS record for the works as expected.

The problem is that Yandex Mail expects us to use the mail._domainkey domain, there is no way to configure another domain.

Hi, @okhotin. I believe the issue was that the record existed in our database but was never created on the DNS service. It looks like you deleted the record and then recreated it.

This caused the record to get correctly added to the DNS service and it started working at that time:

$ dig TXT

; <<>> DiG 9.10.6 <<>> TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16967
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512

;; ANSWER SECTION: 3463 IN	TXT	"v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH5IlBmVJuawcJVVh4zzroBWVz03gvUgcjJVBYPw3DI6rWblWTR9bL5RyMm5MHxJYzN7Ed8OqflwUavJUrIccH17EosbaV08BaE489UBPyILOVkUrXDcL1jHjufF+2yinaIMtNDUnuYwGEmWqMlv+A6cKTUPaIv1pVKceaDIhaJQIDAQAB"

;; Query time: 24 msec
;; WHEN: Tue Mar 02 21:19:50 PST 2021
;; MSG SIZE  rcvd: 310

To summarize, you fixed it when you recreated the record.

If there are other questions, please let us know.

1 Like