Guide

How to Set Up DKIM: The Complete Guide

DKIM adds a cryptographic signature to every email you send. Receivers use your public key in DNS to verify the signature. This guide covers generating keys, publishing records, and troubleshooting common failures.

Updated March 19, 2026

DKIM proves a message was not tampered with in transit — and that a signer you trust vouched for it. The sending server holds a private key; DNS publishes the public key. Receivers verify the signature against headers/body hashes. This guide walks key generation, DNS publication, selector strategy, rotation, and failure modes. Terms: DKIM glossary, selectors.

What DKIM does

Unlike SPF (IP authorization), DKIM is cryptographic. It survives forwarding less predictably than SPF in some cases, but it aligns with your brand domain when configured correctly. DMARC “pass” typically needs DKIM or SPF alignment — DKIM is often easier for ESPs because they control signing with their infrastructure.

How DKIM signing works

Outbound mail gets a DKIM-Signature header with d= (signing domain), s= (selector), and hashes over canonicalized headers/body. The receiver looks up s._domainkey.d TXT, parses the public key, and verifies. If DNS is wrong or the key does not match, you see signature failed or dkim=none in diagnostics.

Generating a DKIM key

Most teams generate keys inside their ESP (Google, Microsoft, SendGrid, etc.). Self-hosters use OpenSSL or mail stack wizards (Postfix/OpenDKIM, Exim, rspamd). Minimum key size today is 2048-bit; 1024-bit keys are legacy and should be rotated — see key length fix.

Publishing the DKIM record

Format is a TXT at selector._domainkey.example.com. Value contains v=DKIM1, k=rsa, and p= with the base64 public key. Some DNS panels split long strings into multiple strings — that is fine; DNS concatenates them. Truncation is a common outage: if you paste half a key, verification fails silently for a percentage of traffic.

Our DKIM DNS page lists pitfalls (quotes, 255-char chunks, CNAME vs TXT). Double-check with a DNS lookup from multiple resolvers after publish.

Key length — why 2048-bit matters

1024-bit RSA is within reach of nation-scale adversaries and increasingly casual attackers. Providers have moved to 2048-bit defaults. If your panel still shows 1024, plan rotation — rotate keys safely by dual-publishing old and new selectors before cutover.

Verifying your DKIM record

Use DNS Preflight — it probes common selectors and reports key strength when found. Send a test message and inspect DKIM-Signature in raw headers; the selector there must match DNS.

DKIM selectors — what they are

Selectors let you run multiple keys concurrently — for rotation, multi-tenant ESP setups, or product lines. A mismatch (s=mar2026 in header but DNS only has default._domainkey) fails verification. Troubleshooting: selector issues and signature failed.

Rotating DKIM keys safely

Publish the new selector, verify traffic signs with it, then remove the old key after a overlap window (often 48–168 hours depending on volume). Never delete the old DNS record first. Playbook: rotate keys.

Why DKIM alone is not enough

DKIM proves integrity and ties to a domain, but without DMARC, receivers may still accept spoofed From: domains that do not align. Layer DMARC for policy. Combine with SPF for coverage when forwarding breaks DKIM.

Step by step