Symptoms
Outgoing email messages are not signed by DKIM when the sending domain uses third-party DNS servers.
Description
This can occur when there is a mismatch between the DKIM record on the authoritative nameserver for the domain and the DKIM record configured on the cPanel server for that domain. You can check for such a mismatch on either the Email Deliverability page in cPanel or via the validate_current_dkims API call. If either of these methods detects an invalid DKIM key, cPanel does not sign that domain's outbound email with a DKIM signature in order to avoid a DKIM failure.
Workaround
Make sure that the DKIM record configured on the third-party DNS server is the same as the one configured on the cPanel server.