DNS guide

DKIM Record Setup Guide

A DKIM record publishes your public signing key in DNS. Mail servers use it to verify that your emails haven't been tampered with. Here's how to add it correctly and avoid the common truncation mistake.

What a DKIM record looks like

google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Format: Name: [selector]._domainkey.yourdomain.com · Type: TXT · Value: v=DKIM1; k=rsa; p=[public key]

The truncation trap

DKIM public keys are long. Some DNS providers split them incorrectly. The full key must be in one record. If it's split wrong, DKIM verification fails silently.

Check DKIM selectors and strength

Open DNS Preflight →

Related: DKIM · DKIM key length · DKIM signature failed

Step by step

Step 1 Generate your DKIM key in your email provider's dashboard.

Step 2 Copy the full TXT record value — all of it, including the long p= string.

Step 3 Add the TXT record at [selector]._domainkey.yourdomain.com.

Step 4 Verify the full key is published — check it's not truncated.

Step 5 Run DNS Preflight to confirm DKIM pass and key strength.

FAQ

What is a DKIM record?

A TXT record that publishes your DKIM public key. Mail servers use it to verify your email signatures.

Where does the DKIM record go in DNS?

At [selector]._domainkey.yourdomain.com — for example google._domainkey.yourdomain.com for Google Workspace.

What key size should I use?

2048-bit minimum. 1024-bit is weak and should be rotated immediately. DNS Preflight shows your key strength.

Why does my DKIM record look wrong after adding it?

Probably truncated by your DNS provider. DKIM keys are long — check that the full p= value is preserved in the record.

How do I verify my DKIM record works?

Run DNS Preflight — it checks 14 common selectors and shows key strength for each one found.

← All DNS record guides

Open DomainPreflight →