D
DKIM Test

How to Set Up DKIM: The Complete Guide

Step-by-step guide to setting up DKIM email authentication for any domain. Learn how to generate keys, publish DNS records, and verify your configuration.

Last updated: 2026-04-15

Every email you send without DKIM is an email that receiving servers have no reason to trust. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing messages, proving they genuinely came from your domain and weren't tampered with in transit. Without it, inbox providers like Gmail and Outlook are more likely to flag your messages as suspicious or route them straight to spam.

The good news is that setting up DKIM is straightforward. You generate a key pair, publish the public key in your DNS, configure your mail server to sign outgoing messages, and verify that everything works. This guide walks you through the entire process for any domain and any email service.

What You Need Before Starting

Before you touch any settings, make sure you have access to three things:

  • Your domain's DNS (Domain Name System) settings. You'll add a TXT record, so you need login access to wherever your DNS is managed (your domain registrar, Cloudflare, Route 53, or another DNS provider).
  • Your email service admin panel. Whether it's Google Workspace, Microsoft 365, SendGrid, or a self-hosted server, you need admin access to configure signing.
  • Your domain ownership confirmed. You can only set up DKIM for domains you control. If you send from a subdomain, make sure you can add DNS records for that subdomain too.

Using a cloud email service?

If you use Google Workspace, Microsoft 365, Mailchimp, SendGrid, or another hosted email provider, they handle key generation and signing for you. Your main job is publishing the DNS record they provide and enabling DKIM in their admin panel. See our provider-specific guides for exact steps.

The DKIM Setup Process

Setting up DKIM involves four core steps. The specifics vary by provider, but the process is the same everywhere.

1

Generate a DKIM key pair

DKIM uses public-key cryptography. You need two keys that are mathematically linked:

  • A private key that stays on your mail server and is used to sign every outgoing email
  • A public key that you publish in DNS so receiving servers can verify those signatures

Most hosted email providers generate both keys for you automatically. If you manage your own mail server or need to generate keys manually, use dkimcreator.com to create a key pair in seconds.

You'll also choose a selector, a short label like default, s1, google, or mail. The selector lets you have multiple DKIM keys for the same domain, which is essential when you use more than one service to send email.

2

Publish the public key as a DNS TXT record

Take the public key and add it to your domain's DNS as a TXT record. The record name follows a specific format:

selector._domainkey.yourdomain.com

For example, if your selector is s1 and your domain is example.com, you create a TXT record at s1._domainkey.example.com. The record value looks like this:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFA...

The v=DKIM1 identifies this as a DKIM record. The k=rsa specifies the key type. The p= tag contains the actual public key, a long base64-encoded string. Paste it carefully and avoid introducing extra spaces or line breaks.

3

Configure your mail server to sign outgoing email

Install the private key on your mail server or enable DKIM signing in your email provider's admin panel. This is where it varies most by provider:

  • Google Workspace: Generate the key in the Admin Console, publish the DNS record, then click "Start Authentication"
  • Microsoft 365: Enable DKIM signing in the Microsoft Defender portal after publishing the CNAME records
  • SendGrid, Mailchimp, and other ESPs: Most begin signing automatically once they detect the DNS record
  • Self-hosted (Postfix, Exim): Install OpenDKIM or rspamd, configure the private key path and selector, and restart the mail service

Some providers require you to explicitly enable signing after adding the DNS record. Don't skip this. Having the public key in DNS does nothing if your server isn't actively signing messages.

4

Test and verify your configuration

After completing the setup, verify both sides: the DNS record and the actual signing. First, check that your public key is published correctly. Then send a test email to an external address and examine the message headers for dkim=pass.

Generating DKIM Keys

If your email provider doesn't generate keys for you, you need to create them yourself. Here's what to know:

Use 2048-bit RSA keys. This is the current standard recommendation, aligning with NIST (National Institute of Standards and Technology) SP 800-131A guidance on minimum key sizes. They offer strong security and are supported by all major email providers. The older 1024-bit keys still work but provide weaker protection and are being phased out.

Watch for DNS character limits. 2048-bit keys produce long public key strings. Some DNS providers have character limits on TXT records that can truncate your key. If you hit this issue, check whether your provider supports splitting the value across multiple quoted strings (most modern providers do). If not, a 1024-bit key is your fallback.

Generate a key pair quickly at dkimcreator.com. You'll get both the private key (for your server) and a ready-to-paste DNS record.

Publishing Your DKIM Record in DNS

The most common setup mistake happens at this step: getting the DNS hostname wrong. Different DNS providers handle hostnames differently:

  • Some want just the subdomain part: Enter s1._domainkey and the provider auto-appends your domain
  • Others want the full hostname: Enter s1._domainkey.yourdomain.com

If you enter the full hostname on a provider that auto-appends, you end up with s1._domainkey.yourdomain.com.yourdomain.com, and no receiving server will ever find your record. When in doubt, check your provider's documentation or look at how your existing DNS records are formatted.

After publishing, allow time for DNS propagation. Most changes take effect within minutes, but it can take up to 48 hours for all DNS resolvers worldwide to see the new record.

Verify Your DKIM Setup

Once your DNS record is published and signing is enabled, verify the full setup with our free DKIM test tool.

If the tool finds your record with no errors, your DNS side is working. Next, send a test email to an external account (Gmail works well for this) and check the message headers. Look for the Authentication-Results header; you should see dkim=pass.

Testing Your Setup End to End

Verifying the DNS record is only half the test. You also need to confirm that your mail server is actively signing outgoing messages:

  1. Send an email from your domain to an external Gmail or Outlook account
  2. Open the received email and view the full message headers (in Gmail: three-dot menu, then "Show original")
  3. Look for a DKIM-Signature header, which confirms your server is signing
  4. Look for dkim=pass in the Authentication-Results header, which confirms the signature verified successfully

If you see dkim=none, your server isn't signing. Go back to step 3 of the setup process and make sure signing is enabled. If you see dkim=fail, the signature exists but didn't verify. Check our troubleshooting guide to diagnose the issue.

Complete Your Email Authentication

DKIM is one piece of the email authentication puzzle. For maximum deliverability and protection against domain spoofing, you also need SPF and DMARC:

  • SPF tells receiving servers which IP addresses are authorized to send email for your domain. Check yours at spfrecordcheck.com.
  • DMARC ties SPF and DKIM together with a policy that instructs receiving servers what to do when authentication checks fail. Check yours at dmarcrecordchecker.com.

All three protocols working together give you the strongest possible email authentication and the best chance of reaching the inbox.

Setting Up DKIM for Multiple Sending Services

Most businesses use more than one service to send email: a primary inbox provider, a marketing platform, a transactional email service, maybe a CRM or helpdesk. Each service needs its own DKIM configuration with a unique selector.

Your DNS might end up with records like:

  • google._domainkey.yourdomain.com for Google Workspace
  • k1._domainkey.yourdomain.com for Mailchimp
  • s1._domainkey.yourdomain.com for SendGrid

Each service provides its own key pair and selector. They coexist without conflict because each uses a different selector name. For more details, see our guide on managing multiple DKIM records.

Test immediately after setup

Don't wait until a customer complains about missing emails. Test your DKIM setup within minutes of making changes using our free checker above and by sending a test email. Problems are much easier to fix while the configuration is fresh in your mind.

Provider-Specific Setup Guides

We have detailed guides for the most popular email services and DNS providers:

Email services: Google Workspace, Microsoft 365, Gmail, Mailchimp, SendGrid, Amazon SES, Mailgun, HubSpot, Klaviyo, Salesforce, Zoho Mail

DNS providers: Cloudflare, GoDaddy, Namecheap, IONOS, cPanel, Squarespace, Wix

Related Articles

References

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DKIM issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring