DKIM Setup Guide

Learn how DKIM works and how to monitor your DKIM configuration with DMARC Monitor.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing emails. This signature allows receiving servers to verify that the email was actually sent by an authorized server and wasn't modified in transit.

How DKIM Works

  1. Your email server signs outgoing emails with a private key
  2. The signature is added to the email header as DKIM-Signature
  3. Receiving servers look up your public key from DNS
  4. They use the public key to verify the signature matches
  5. If it matches, DKIM passes and the email is verified as authentic

DKIM DNS Record

DKIM uses a TXT record at a specific selector subdomain. For example, if your selector is "google":

Type: TXT

Host: google._domainkey

Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh...

The "p=" part contains your public key. Each email service (Google, Microsoft, SendGrid, etc.) has its own selector and key.

Setting Up DKIM

DKIM setup varies by email provider. Here are the most common:

Google Workspace

  1. Go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email
  2. Click "Generate new record" for your domain
  3. Add the TXT record to your DNS
  4. Click "Start authentication"

Microsoft 365

  1. Go to Microsoft 365 admin center → Settings → Domains
  2. Select your domain and click "DNS records"
  3. DKIM records are usually auto-configured with CNAME records
  4. Add the CNAME records pointing to Microsoft's DKIM selectors

Third-Party Services (SendGrid, Mailchimp, etc.)

  1. Go to your email service's settings
  2. Find the "Domain Authentication" or "DKIM" section
  3. Generate DKIM keys for your domain
  4. Add the provided DNS records (usually CNAME or TXT)

DKIM Record Tags

TagDescription
v=DKIM1Version identifier (required)
k=rsaKey type (rsa is most common)
p=Public key (base64 encoded)
t=sTesting mode (optional)
h=sha256Hash algorithm

Common DKIM Issues

Key Too Long for DNS

Some DNS providers have character limits. You may need to split the key into multiple strings or use 1024-bit keys instead of 2048-bit.

Wrong Selector

Each email service uses different selectors. Make sure you're using the correct selector name (e.g., "google", "selector1", "s1").

DNS Propagation

After adding DKIM records, wait up to 48 hours for DNS propagation before enabling authentication.

DKIM + DMARC

DKIM is one of two mechanisms DMARC uses to authenticate email (the other being SPF). For an email to pass DMARC, it needs:

  • SPF pass + alignment with From domain, OR
  • DKIM pass + alignment with From domain

Tip: Set up both SPF and DKIM for maximum protection. If one fails, the other can still authenticate your email.

How DMARC Monitor Helps

  • DKIM validation: We check your DKIM records for each selector
  • DMARC reports: See which emails pass/fail DKIM authentication
  • Selector discovery: Identify which selectors are in use from DMARC reports
  • Change alerts: Get notified if your DKIM configuration changes