SPFWise
dkim

How to Set Up DKIM

DKIM signs your mail so receivers can prove it came from you. Here is how to generate the key, publish the record, enable signing, and confirm it works.

Jul 3, 20264 min read

DKIM (DomainKeys Identified Mail) signs every message you send with a private key, and receivers verify that signature against a public key in your DNS. A valid signature proves the message came from your domain and was not changed in transit. Here is how to turn it on.

Step 1: generate the key in your sending platform

DKIM keys are created by the service that sends your mail, not by hand. In Google Workspace, Microsoft 365, SendGrid, Mailchimp and the rest, there is a DKIM or domain authentication section that generates a key and gives you the DNS records to publish. Ask for a 2048-bit key where you can choose, since 1024-bit is weak.

Step 2: publish the DNS records

The platform gives you one or more records to add, usually CNAME or TXT, at a selector under _domainkey. For example:

selector1._domainkey.yourdomain.com

The selector is just a label that lets you rotate keys later. Publish exactly what the provider shows you.

Step 3: enable signing

Publishing the record is not enough. You must also switch DKIM signing on inside the platform. Some providers wait until the DNS record is visible before they let you enable it.

Step 4: verify it works

Send a test message and check the headers for a DKIM signature with a dkim=pass result, or scan your domain. Note that DKIM selectors cannot be discovered from DNS, so a scanner can only confirm the common ones. If yours uses a custom selector, the surest check is a real message.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

DKIM proves integrity, but it needs DMARC to enforce a policy and require alignment. Set that up next.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

How to Set Up DKIM (and Confirm It Works) | SPFWise