DKIM (DomainKeys Identified Mail) Setup Guide

Configure DKIM signatures to verify email authenticity and prevent tampering.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email hasn't been altered during transit and was actually sent by the authorized domain.

DKIM protects against:

  • Email content tampering and modification
  • Domain spoofing and impersonation
  • Man-in-the-middle attacks
  • Rejection by Gmail, Yahoo, and other providers

How DKIM Works

Step 1: Email Signed

Your mail server creates a hash of email content and signs it with a private key

Step 2: Signature Added

DKIM-Signature header is added to the email with the encrypted signature

Step 3: Public Key Lookup

Receiving server retrieves your public key from DNS using the selector

Step 4: Verification

Server decrypts signature with public key and verifies content hasn't changed

DKIM Record Structure

A DKIM record is published as a TXT record at a subdomain using this format:

selector._domainkey.yourdomain.com

Example DKIM record value:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...

DKIM Tags Explained

v=DKIM1

Version identifier (required)

k=rsa

Key type (RSA is standard)

p=...

Public key in Base64 format (required)

t=s

Strict mode - domain must match exactly (optional)

Key Length Requirements

DKIM key length is critical for security:

  • 512-bit: Insecure, rejected by most providers
  • 1024-bit: Minimum acceptable (being phased out)
  • 2048-bit: Recommended standard
  • 4096-bit: Maximum security (may have DNS limits)

Use our DKIM Validator to check your key length and security.

Step-by-Step Setup

1. Generate DKIM Keys

Most email service providers generate keys automatically:

  • Google Workspace: Admin Console → Apps → Gmail → Authenticate Email
  • Microsoft 365: Security & Compliance → Threat Management → DKIM
  • SendGrid/Mailchimp: Domain Authentication settings

2. Get Your DKIM Record

Your provider will give you:

  • Selector: A unique identifier (e.g., "google", "s1", "k1")
  • Host/Name: selector._domainkey.yourdomain.com
  • Value: The public key record starting with v=DKIM1

3. Add DNS Record

Create a TXT record in your DNS:

  • Host/Name: selector._domainkey (e.g., google._domainkey)
  • Type: TXT
  • Value: Your DKIM public key
  • TTL: 3600

4. Enable DKIM Signing

Return to your email provider and enable DKIM signing. This tells your mail server to start adding DKIM signatures to outgoing emails.

5. Verify Setup

Wait 10-60 minutes for DNS propagation, then validate with our DKIM Validator tool.

Common Issues

Selector Mismatch

The selector in the DKIM-Signature header must match the DNS record name. Check your email headers to see which selector is being used.

Key Too Short

If using 512 or 1024-bit keys, upgrade to 2048-bit. Contact your email provider to generate new keys.

DNS Record Too Long

Some DNS providers have 255-character limits. Split the public key into multiple quoted strings or use a CNAME delegation.

Next Steps

Complete your email authentication with DMARC:

DMARC Setup →Test DKIM →