DNS provider
Add a DKIM record in Cloudflare DNS
DKIM publishes a public key at selector._domainkey.yourdomain. Copy the exact string your mail provider gives you.
Provider gotcha: Proxy (orange cloud) must be grey (DNS only) for MX records, mail A records, and anything that must resolve exactly for mail. TXT for DMARC/SPF/DKIM should also use DNS-only — orange cloud can interfere with how some tools read mail DNS.
See DKIM DNS.
Step by step
Step 1 Open the Cloudflare Dashboard → DNS → Records → Add record.
Step 2 Name/host: your selector +
._domainkey (Use the subdomain only in the Name field — e.g. _dmarc or @ for apex, not the full hostname.).Step 3 Value from your ESP (often one long string):
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...
Step 4 Save. Truncated keys fail open verification. Proxy (orange cloud) must be grey (DNS only) for MX records, mail A records, and anything that must resolve exactly for mail. TXT for DMARC/SPF/DKIM should also use DNS-only — orange cloud can interfere with how some tools read mail DNS.
Step 5 If the UI splits into 255-char chunks, that is normal for DNS — the full key must still be complete.
Step 6 Send test mail; run DNS Preflight for DKIM strength. DKIM guide.
DNS Preflight — full auth check for your domain.
Propagation — compare resolvers.
FAQ
What name do I enter for DKIM?
selector._domainkey as your provider’s UI expects — see the gotcha on this page for your host.
Why dkim=fail?
Truncated key, wrong selector, or signing with a different selector than DNS.
2048 vs 1024?
Prefer 2048-bit keys; rotate 1024-bit legacy keys.
Does Cloudflare DNS split long TXT?
Many providers auto-chunk; ensure the full key is present.
How to test?
Send mail and check headers — then DNS Preflight for the published key.