Home » Email Deliverability » DKIM Setup

What Is DKIM and How to Set It Up

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send that proves the message came from your domain and was not altered in transit. The receiving mail server verifies the signature against a public key published in your DNS records. DKIM is one of the three essential authentication protocols (along with SPF and DMARC) required for reliable email delivery.

How DKIM Works

DKIM uses public key cryptography to sign and verify emails. The process works like this:

Your email provider generates a private/public key pair. The private key stays on the sending server.
You publish the public key as a DNS TXT record on your domain (at a specific subdomain called a selector).
When an email is sent, the sending server uses the private key to create a digital signature of certain parts of the message (typically the headers and body).
This signature is added to the email as a DKIM-Signature header.
The receiving server reads the signature, looks up the public key from your DNS, and uses it to verify the signature.
If the signature is valid, DKIM passes. If the message was altered in transit, the signature will not match and DKIM fails.

Unlike SPF which verifies the sending server's IP address, DKIM verifies the integrity of the message itself. This means DKIM survives email forwarding, where SPF often fails because the forwarding server's IP is not in the original sender's SPF record.

How to Set Up DKIM

Step 1: Generate your DKIM keys in your email provider.
Log into your email service provider's dashboard (SendGrid, Mailgun, Amazon SES, Google Workspace, etc.) and navigate to the domain authentication or DKIM settings. Most providers have a setup wizard that generates the keys and gives you the DNS records to add. The provider keeps the private key and gives you the public key to publish.

Step 2: Add the DKIM DNS record.
Go to your domain's DNS management panel. Add the CNAME or TXT record that your email provider gave you. The record name is typically in the format selector._domainkey.yourdomain.com, where "selector" is a label chosen by your provider (like "s1" or "google"). The record value contains the public key.

Step 3: Verify the record in your email provider.
Go back to your email provider's dashboard and click the verification button. The provider will query your DNS to confirm the public key record exists and is correct. Some providers verify automatically within a few minutes.

Step 4: Send a test email and check the headers.
Send an email to a Gmail account and view the full message headers. Look for "dkim=pass" in the Authentication-Results header. You should also see a DKIM-Signature header on the message itself.

DKIM Record Format

A DKIM DNS record looks something like this:

Record name: s1._domainkey.yourdomain.com

Record type: TXT (or CNAME if your provider uses delegated signing)

Record value (TXT): v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...

v=DKIM1 - Protocol version identifier.
k=rsa - The key type. RSA is standard. Some providers now support ed25519 for shorter, faster signatures.
p= - The public key, base64-encoded. This is the long string of characters.

Many email providers use CNAME records instead of TXT records for DKIM. The CNAME points to a record the provider manages, so they can rotate keys without requiring you to update your DNS. This is the preferred approach because it simplifies key management.

Setting Up DKIM for Multiple Providers

Unlike SPF (which is limited to one record), you can have multiple DKIM records for the same domain because each uses a different selector. If you send email through SendGrid, Mailgun, and Google Workspace, each one gets its own DKIM record with a unique selector name. They do not conflict with each other.

This makes DKIM more flexible than SPF for organizations that use multiple email services. Each provider signs with its own private key and its own selector, and receiving servers check whichever selector is referenced in the DKIM-Signature header.

Common DKIM Mistakes

Not Setting Up DKIM for All Senders

If you set up DKIM for your marketing email but not for Google Workspace or your transactional email service, those messages will not have valid DKIM signatures. This matters especially with DMARC, which requires at least one of SPF or DKIM to pass and align with the From domain.

Forgetting to Verify After Adding DNS

Some providers do not start signing emails until you explicitly verify the DNS record in their dashboard. Adding the DNS record alone may not be enough. Always complete the verification step in your provider's settings.

Key Length Too Short

RSA keys should be at least 1024 bits, and 2048 bits is recommended. Some very old configurations use 512-bit keys which are now considered insecure and may be rejected by receiving servers. Most modern providers generate 2048-bit keys by default.

Next step: DKIM alone proves message integrity but does not tell receiving servers what to do when checks fail. You need DMARC to complete the picture by setting a policy for failed authentication. See the complete authentication guide for setting up all three protocols together.

Authenticate your email sending and protect your domain reputation. Get your deliverability fundamentals right from day one.

Get Started Free

View the Email Broadcast App