DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing messages. Receivers verify the signature against a public key published in your DNS to confirm the message is authentic and unaltered.

How do I set up DKIM?

Generate a DKIM key pair in your email provider, publish the provided public key as a TXT record at selector._domainkey.yourdomain, then enable DKIM signing in the provider so outgoing mail is signed with the matching private key.

What is a DKIM selector?

A selector is a label that identifies which DKIM key to use, allowing a domain to publish more than one key. It forms part of the DNS record name, as in selector1._domainkey.yourdomain, and is included in the signature header so receivers know which key to fetch.

Home
/
Help
/
How to Set Up DKIM

How to Set Up DKIM

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every message you send. The receiving server looks up your public key in DNS and uses it to confirm the message really came from your domain and was not tampered with in transit. Together with SPF and DMARC, it is a core part of stopping spoofed email.

How DKIM works

DKIM uses a public/private key pair. Your mail server holds the private key and signs each outgoing message; you publish the matching public key in DNS. The receiver reads the DKIM-Signature header, fetches the public key, and verifies the signature. If it matches, the message is authentic and unchanged.

The public key lives in a TXT record named with a selector:

selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQ…"

How to set up DKIM step by step

Generate a key pair. Almost every email platform generates DKIM keys for you — look for "DKIM" or "email authentication" in its admin settings. Choose a 2048-bit key where offered.
Copy the public key and selector. The provider gives you a host name (containing ._domainkey) and a TXT value.
Publish the TXT record exactly as provided in your DNS. Some providers split long keys across quoted strings — paste it verbatim.
Enable signing back in the email platform once the record resolves. Outgoing mail will then carry a DKIM signature.
Test by sending a message to a mailbox and checking that DKIM passes in the headers.

Key rotation and multiple senders

Selectors let you publish more than one key at a time, which makes rotation painless: publish a new selector, switch signing to it, then retire the old one. Each sending service typically uses its own selector, so a domain often has several ._domainkey records — one per platform.

Verify and keep DKIM healthy

A missing or malformed DKIM record silently breaks authentication. ZoneWatcher's DKIM monitor validates your selector records so a botched edit or an expired key does not go unnoticed.

DKIM is most effective alongside SPF and DMARC — DMARC is what ties a DKIM pass to your visible From address. See SPF vs DKIM vs DMARC.

How DKIM works

How to set up DKIM step by step

Key rotation and multiple senders

Verify and keep DKIM healthy

Never miss a DNS change again.Start monitoring in minutes.

Never miss a DNS change again.
Start monitoring in minutes.