D
DKIM Test

How to Add DKIM Records in Cloudflare

Step-by-step guide to adding DKIM DNS records in Cloudflare. Learn how to configure DKIM for Google Workspace, Microsoft 365, and other email services using Cloudflare DNS.

Last updated: 2026-01-28

Cloudflare is one of the most popular DNS providers, known for its speed and security features. If you manage your domain's DNS through Cloudflare, you'll add your DKIM records there. This guide walks you through the process.

Cloudflare is your DNS provider—it hosts your DNS records. Your DKIM keys come from your email service (Google Workspace, Microsoft 365, Mailchimp, etc.). Cloudflare's job is to publish those records so receiving mail servers can find them.

Before You Start

You'll need:

  • Access to your Cloudflare account
  • Your domain added to Cloudflare with DNS management active
  • The DKIM record details from your email service (selector and public key or CNAME target)

Get your DKIM record information from your email provider first—Cloudflare doesn't generate DKIM keys.

Adding a DKIM TXT Record

Most email services use TXT records for DKIM (Google Workspace, Postmark, Mailgun, etc.).

1

Log into Cloudflare

Go to dash.cloudflare.com and sign in.

2

Select your domain

Click on the domain you want to configure DKIM for.

3

Go to DNS settings

Click DNS in the left sidebar, then Records.

4

Add a new record

Click Add record and select TXT as the type.

5

Enter the record details

  • Name: Enter the selector and _domainkey. For example:

    • Google Workspace: google._domainkey
    • Mailgun: smtp._domainkey
    • Custom: yourselector._domainkey

  • Content: Paste the full DKIM value from your email service, starting with v=DKIM1

  • TTL: Auto (or 3600)

  • Proxy status: Should show "DNS only" (gray cloud) - DKIM records cannot be proxied

6

Save the record

Click Save.

Adding a DKIM CNAME Record

Some services like Microsoft 365, Mailchimp, and SendGrid use CNAME records.

1

Add a new record

In Cloudflare DNS, click Add record and select CNAME as the type.

2

Enter the CNAME details

For Microsoft 365:

  • Name: selector1._domainkey
  • Target: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
  • Proxy status: DNS only (gray cloud)

For Mailchimp:

  • Name: k1._domainkey
  • Target: dkim.mcsv.net
  • Proxy status: DNS only
3

Save and repeat

Save the record. If your service requires multiple CNAME records (like Microsoft 365's selector1 and selector2), add each one.

DKIM records must have proxy status set to "DNS only" (gray cloud icon). If you accidentally enable the orange cloud proxy, DKIM lookups will fail.

Verify Your DKIM Record

After adding the record, verify it's published correctly.

Cloudflare DNS propagation is typically very fast—often within a minute. If your record doesn't appear immediately, wait a few minutes and try again.

Common Cloudflare DKIM Issues

"DNS only" vs Proxied

DKIM records must be set to "DNS only" (gray cloud). The Cloudflare proxy only works for HTTP/HTTPS traffic, not DNS TXT or CNAME lookups for email authentication.

If your DKIM record shows an orange cloud, click it to toggle to gray.

Long TXT Record Values

Cloudflare handles long TXT records well—2048-bit DKIM keys work without issues. Unlike some DNS providers, you don't need to split the value into multiple strings.

CNAME Flattening

Cloudflare's CNAME flattening feature doesn't affect DKIM CNAME records when proxy is disabled. Your CNAME records will resolve correctly.

Record Not Found After Adding

If your DKIM lookup fails immediately after adding the record:

  • Verify the Name field doesn't include your domain (Cloudflare adds it automatically)
  • Check for typos in _domainkey
  • Ensure the record is saved (not still in edit mode)
  • Wait 1-2 minutes for Cloudflare's edge to update

Cloudflare + Common Email Services

Google Workspace

Type: TXT

Name: google._domainkey

Content: The value from Google Admin Console (starts with v=DKIM1; k=rsa; p=...)

Microsoft 365

Type: CNAME (two records)

Record 1:

  • Name: selector1._domainkey
  • Target: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Record 2:

  • Name: selector2._domainkey
  • Target: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Mailchimp

Type: CNAME

Name: k1._domainkey

Target: dkim.mcsv.net

SendGrid

Type: CNAME (two records)

Check SendGrid's Sender Authentication settings for your specific CNAME values—they include your account ID.

Amazon SES

Type: CNAME (three records)

Amazon SES provides three unique CNAME records during domain verification. Add all three to Cloudflare.

Multiple DKIM Records

You can add as many DKIM records as needed for different email services. Each uses a different selector, so they don't conflict:

google._domainkey     TXT    v=DKIM1; k=rsa; p=...
k1._domainkey         CNAME  dkim.mcsv.net
s1._domainkey         CNAME  s1.domainkey...sendgrid.net

Don't Forget SPF and DMARC

Complete your email authentication by also configuring:

SPF: A TXT record at your root domain (@) listing authorized senders. Check at spfrecordcheck.com.

DMARC: A TXT record at _dmarc.yourdomain.com with your policy. Check at dmarcrecordchecker.com.

Related Articles

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DKIM issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring