How To Set Up DKIM for Your Domain

DKIM (DomainKeys Identified Mail) is a cryptographic email authentication standard that lets receiving mail servers verify that a message genuinely came from your domain and was not altered in transit. Without it, your emails are more likely to land in spam, and your domain is easier to spoof. Setting it up correctly is one of the most important steps in establishing a trustworthy sending infrastructure.

How DKIM Works

When you send an email, your mail server uses a private key to generate a unique digital signature and adds it to the message headers. The receiving server then looks up your domain's DNS records to retrieve the corresponding public key, and uses it to verify the signature. If the signature checks out, the message passes DKIM authentication. If it fails or is missing, receiving servers may treat the email with suspicion.

The public key is published as a DNS TXT record at a specific subdomain called a selector. Selectors allow you to publish multiple DKIM keys for the same domain — useful when you send through several services.

What You Need Before You Start

• Access to your domain's DNS settings (via your registrar or DNS host)
• Access to your email sending platform or mail server configuration
• A DKIM key pair — most sending platforms generate this for you

If your sending platform does not generate keys automatically, you can create a key pair using OpenSSL. Use a 2048-bit RSA key at minimum — 1024-bit is now considered insufficient for modern security standards.

Step 1: Generate Your DKIM Keys

Most email service providers (ESPs) and mail transfer agents (MTAs) have a built-in DKIM setup flow that handles key generation. Log into your sending platform and look for an authentication or domain settings section. The platform will typically show you:

• A selector name (for example, s1 or mail)
• The DNS TXT record name to create (formatted as selector._domainkey.yourdomain.com)
• The TXT record value containing your public key

Copy these values exactly. Even a single character error will cause DKIM to fail.

Step 2: Add the DNS TXT Record

Log into your DNS provider and create a new TXT record with the following:

• Name/Host: your selector subdomain, e.g. s1._domainkey (some DNS providers want the full hostname including your domain; others just want the subdomain portion — check their documentation)
• Type: TXT
• Value: the public key string provided by your sending platform, which begins with v=DKIM1;
• TTL: 3600 seconds (one hour) is a sensible default

A typical DKIM TXT record value looks like this: v=DKIM1; k=rsa; p=MIGfMA0GCSq... followed by a long base64-encoded string. Do not modify this string or add line breaks — it must be published exactly as provided.

Step 3: Wait for DNS Propagation

DNS changes can take anywhere from a few minutes to 48 hours to propagate globally, though in practice most updates are visible within an hour. You can check whether your record has propagated using a DNS lookup tool — query the TXT record at selector._domainkey.yourdomain.com and confirm the value matches what your sending platform expects.

Step 4: Enable DKIM Signing on Your Mail Server

Publishing the DNS record is only half the job. You also need to enable DKIM signing in your sending platform or mail server so it actually signs outgoing messages with the matching private key. In most hosted ESPs this is a toggle or a confirmed step after DNS verification. On self-managed infrastructure (Postfix, Exim, etc.) you will configure the signing daemon (such as OpenDKIM or rspamd) with the private key and the selector name.

Once signing is enabled, your sending platform will usually run an automated check against your DNS and confirm DKIM is active.

Step 5: Verify DKIM Is Working

Send a test email to an address you control and inspect the raw message headers. Look for a header named DKIM-Signature — its presence means your server is signing messages. To confirm the signature is valid, look for an Authentication-Results header on the receiving side that shows dkim=pass.

You can also use a free deliverability checker to audit your domain's authentication setup, including DKIM, SPF, and DMARC, in one place.

Common DKIM Mistakes to Avoid

• Using 1024-bit keys: These are deprecated. Use 2048-bit RSA or an Ed25519 key.
• Modifying email content after signing: Some mailing list software or forwarding setups alter message bodies or headers after DKIM signs them, breaking the signature. This is a known challenge and is part of why DMARC with a relaxed alignment policy is recommended.
• Publishing the record but not enabling signing: The DNS record alone does nothing — your mail server must also sign outgoing messages.
• Forgetting subdomains or secondary senders: If you send from multiple platforms or subdomains, each needs its own DKIM selector and DNS record.

DKIM Alongside SPF and DMARC

DKIM works best as part of a complete authentication stack. SPF specifies which IP addresses are authorised to send mail for your domain. DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails — and sends you reports so you can monitor for abuse. Having all three correctly configured significantly improves deliverability and protects your domain from spoofing.

If you are starting from scratch or working with a domain that has a poor sending history, the warm-up and reputation management process matters just as much as authentication. Services like Rainmail are specifically built to support senders who need hands-on deliverability infrastructure — including proper DKIM setup, IP warm-up, and ongoing monitoring — especially when mainstream providers have turned them away.

Authentication is the foundation. Get it right before you focus on anything else.