Guide

DKIM, explained — and how to set it up

DKIM cryptographically signs your outgoing mail so receivers can prove it's genuinely from you and wasn't tampered with.

Check your DKIM record

What it is

DKIM (DomainKeys Identified Mail) adds a digital signature to every message you send. Your mail provider holds a private key and signs outgoing mail; you publish the matching public key in DNS. Receivers verify the signature to confirm the message is really from you and hasn't been altered in transit.

The public key lives at a "selector" — a name your provider gives you — so you can run several keys at once, one per sending service.

Why it matters

DKIM is the second pillar of email authentication and, unlike SPF, it survives forwarding — so it's often what keeps forwarded mail passing DMARC.

DMARC needs at least one of SPF or DKIM to pass and align. Strong DKIM is the most reliable way to get there.

How to set it up

  1. 1Turn on DKIM in your mail provider's admin console — they generate a key and give you a selector plus either a TXT value or a CNAME to publish.
  2. 2Publish it in DNS at <selector>._domainkey.yourdomain.com exactly as provided.
  3. 3Send a test message and confirm it's being signed (our checker or the message headers will show DKIM=pass).
  4. 4Rotate keys periodically and remove old selectors you no longer use.

Record structure & options

Your mail provider signs outgoing messages with a private key; you publish the matching public key in DNS at a 'selector' name they give you. Receivers verify the signature.

Where it lives
<selector>._domainkey.yourdomain.com · TXT record
Example
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4G...
Options
v=DKIM1
Version.
k=
Key type — rsa (common) or ed25519.
p=
The public key itself (required). An empty p= revokes the key.
t=
Flags — t=y means 'testing', t=s means the domain must match exactly.
h= / s=
Restrict allowed hash algorithms / service types.

The selector (e.g. 'google', 'selector1', 'k1') is chosen by your provider — you can have several, one per sending service.

Common problems

The checker says DKIM isn't found.
You're probably checking the wrong selector, or DNS hasn't propagated. The selector is provider-specific (e.g. google, selector1, k1) — publish the record at <selector>._domainkey.yourdomain.com and re-check.
My DKIM public key is too long for one TXT record.
DNS TXT strings are capped at 255 characters. Split the key into multiple quoted strings within the same record — your DNS host usually handles this automatically.
Does DKIM alone stop spoofing?
No — DKIM proves authenticity but doesn't tell receivers to reject unsigned mail. You need a DMARC policy at quarantine or reject for that.

Check it — then keep it healthy

Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.

More guides