DKIM (DomainKeys Identified Mail) adds cryptographic signatures to your emails, proving they're authentic and unmodified. This guide walks through setting up DKIM for your domain, including configuration for major email platforms.
Not sure what DKIM is? Read our introduction to DKIM first.
How DKIM Setup Works
Setting up DKIM involves three main components:
- Key generation – Creating a public/private key pair
- DNS record – Publishing the public key in DNS
- Email signing – Configuring your email service to sign outgoing messages
Most email services handle key generation automatically. Your main task is adding the DNS record they provide.
General DKIM Setup Process
Step 1: Enable DKIM in Your Email Service
Log into your email service's admin panel and find DKIM settings. The service will generate keys and provide you with:
- A DNS record to add (the public key)
- The selector name (identifies this specific key)
Step 2: Add the DNS Record
DKIM records are TXT records at: [selector]._domainkey.yourdomain.com
For example, if your selector is "google":
google._domainkey.yourdomain.com
Step 3: Verify and Activate
Return to your email service to verify DNS propagation and activate DKIM signing.
Platform-Specific Setup
Google Workspace
- Go to Admin Console → Apps → Google Workspace → Gmail
- Click "Authenticate email"
- Select your domain
- Click "Generate new record"
- Choose key length (2048-bit recommended)
- Copy the DNS hostname and TXT record value
- Add TXT record to your DNS
- Wait for DNS propagation (can take up to 48 hours)
- Return to Google Admin and click "Start authentication"
Google Workspace selector: Usually google or a custom prefix
Microsoft 365
- Go to Microsoft 365 Defender portal
- Navigate to Email & collaboration → Policies → DKIM
- Select your domain
- Click "Create DKIM keys"
- Copy the two CNAME records provided
- Add CNAME records to your DNS
- Wait for propagation
- Return and click "Enable" to start signing
Microsoft 365 selectors: selector1 and selector2
Note: Microsoft uses CNAME records that point to their DKIM keys, not TXT records directly.
Mailchimp
- Go to Account → Domains
- Click "Verify" or "Authenticate" next to your domain
- Copy the DKIM record provided
- Add TXT record to DNS at the specified subdomain
- Return to Mailchimp and click "Verify"
Mailchimp selector: Usually k1
SendGrid
- Go to Settings → Sender Authentication → Domain Authentication
- Click "Authenticate Your Domain"
- Enter your domain and select your DNS host
- Choose whether to brand tracking links
- Copy the CNAME records provided (usually 3 records)
- Add CNAME records to your DNS
- Click "Verify" in SendGrid
Amazon SES
- Go to Amazon SES Console → Verified Identities
- Select your domain or create new
- Go to "Authentication" tab
- Under DKIM, choose "Easy DKIM" (recommended)
- Copy the three CNAME records provided
- Add CNAME records to your DNS
- Amazon will automatically verify and enable signing
Verifying DKIM Setup
Check DNS Records
Command line:
dig TXT selector._domainkey.yourdomain.com
You should see a TXT record containing v=DKIM1 and a public key.
Send a Test Email
- Send an email to a Gmail address
- Open the email in Gmail
- Click the three dots → "Show original"
- Look for
Authentication-Results - You should see
dkim=pass
Online Verification Tools
- MxToolbox DKIM Lookup
- Mail-tester.com (send email and get full report)
- EasyDMARC DKIM Checker
Setting Up DKIM for Multiple Services
Most organizations send email through multiple services. Each needs its own DKIM configuration:
Common Setup
| Service | Example Selector | Record Type |
|---|---|---|
| Google Workspace | TXT | |
| Microsoft 365 | selector1, selector2 | CNAME |
| Mailchimp | k1 | TXT or CNAME |
| SendGrid | s1, s2 | CNAME |
| Mailgun | various | TXT |
| Amazon SES | various | CNAME |
Each service uses a different selector, so records don't conflict. You can have many DKIM records—one per selector.
Choosing DKIM Key Size
Most services offer 1024-bit or 2048-bit keys:
1024-bit
- Works universally
- Fits in single DNS TXT record
- Still considered secure but aging
2048-bit (Recommended)
- Stronger security
- Future-proof
- May require splitting across DNS strings (most providers handle automatically)
- Some older DNS providers may have character limits
Recommendation: Use 2048-bit unless your DNS provider has limitations.
Troubleshooting Common Issues
Record Not Found
- Verify the selector name is correct
- Check for typos in the subdomain (selector._domainkey.domain.com)
- Wait for DNS propagation (up to 48 hours)
- Ensure you added TXT (not CNAME) if required
DKIM Signature Fails
- Public key doesn't match private key used for signing
- Record syntax error (missing quotes, wrong format)
- Service not actually signing emails (DKIM disabled)
2048-bit Key Too Long
- Some DNS providers have character limits
- Split the record into multiple strings (provider-specific)
- Or use 1024-bit as fallback
Multiple Records Confusion
- Having multiple TXT records for the same selector causes issues
- Each selector should have exactly one record
- Different services use different selectors (this is fine)
DKIM Best Practices
- Use 2048-bit keys when possible
- Enable DKIM before adding services to SPF – Helps with alignment
- Configure custom domain authentication – In marketing tools, ensure emails are signed with your domain
- Document your selectors – Keep track of which selector each service uses
- Plan for key rotation – Periodically rotate keys for security
- Test after changes – Always verify DKIM passes after any DNS changes
Next Steps After DKIM Setup
With DKIM configured:
- Verify all email services have DKIM enabled
- Test emails from each service pass DKIM
- Ensure SPF is also configured
- Implement DMARC for complete protection
For a complete overview, see our Email Authentication Complete Guide.
0 comments