DNS provider
Add a DKIM record in Amazon Route 53
DKIM publishes a public key at selector._domainkey.yourdomain. Copy the exact string your mail provider gives you.
Provider gotcha: TXT values must be wrapped in quotes in the value field. Multiple strings in one TXT are entered as separate quoted strings on one line.
See DKIM DNS.
Step by step
Step 1 AWS Console → Route 53 → Hosted zones → select your domain → Create record.
Step 2 Name/host: your selector +
._domainkey (For apex SPF, leave the record name blank (not @). For DMARC use _dmarc in the name field.).Step 3 Value from your ESP (often one long string):
"v=DKIM1; k=rsa; p=" "MIGfMA0GCSqGSIb3DQEBA..."
Step 4 Save. Truncated keys fail open verification. TXT values must be wrapped in quotes in the value field. Multiple strings in one TXT are entered as separate quoted strings on one line.
Step 5 If the UI splits into 255-char chunks, that is normal for DNS — the full key must still be complete.
Step 6 Send test mail; run DNS Preflight for DKIM strength. DKIM guide.
DNS Preflight — full auth check for your domain.
Propagation — compare resolvers.
FAQ
What name do I enter for DKIM?
selector._domainkey as your provider’s UI expects — see the gotcha on this page for your host.
Why dkim=fail?
Truncated key, wrong selector, or signing with a different selector than DNS.
2048 vs 1024?
Prefer 2048-bit keys; rotate 1024-bit legacy keys.
Does Amazon Route 53 split long TXT?
Many providers auto-chunk; ensure the full key is present.
How to test?
Send mail and check headers — then DNS Preflight for the published key.