DKIM Setup Guide: How to Configure Email Signing in 2026

DKIM (DomainKeys Identified Mail) is one of the three pillars of email authentication, alongside SPF and DMARC. It allows receiving mail servers to verify that an email was actually sent by the domain it claims to come from and that the message was not tampered with in transit. In 2026, with Google and Yahoo enforcing strict authentication requirements, setting up DKIM is no longer optional — it is essential.

What Is DKIM and How Does It Work?

DKIM uses public-key cryptography to sign outgoing emails. When you send an email, your mail server adds a digital signature to the message headers using a private key that only your server knows. The receiving server then looks up your public key, which is published as a DNS TXT record, and uses it to verify the signature.

If the signature matches, the receiving server knows two things: the email genuinely came from your domain, and the message body and key headers were not altered after signing. This trust signal significantly improves deliverability and helps protect your domain from spoofing.

The signature is invisible to the recipient. It lives in a header called DKIM-Signature and contains information about the signing algorithm, the selector used to find the public key, and the cryptographic hash of the message content.

Understanding DKIM Selectors

A DKIM selector is a string that tells receiving servers where to find your public key in DNS. The public key is published at selector._domainkey.yourdomain.com. You can have multiple selectors, which is useful when you use different email services (for example, one selector for your primary mail server and another for your marketing platform).

Common selector names include default, google, s1, k1, and mail. Many email providers assign their own selectors automatically. Google Workspace uses selectors like google, while services like Mailchimp and SendGrid use provider-specific selectors.

Step-by-Step DKIM Setup

Step 1: Generate your DKIM key pair. Most email providers generate DKIM keys for you automatically. In Google Workspace, go to Admin Console > Apps > Google Workspace > Gmail > Authenticate Email. For Microsoft 365, navigate to the Microsoft Defender portal under Email Authentication. If you run your own mail server, use opendkim-genkey to create a 2048-bit RSA key pair.

Step 2: Publish the public key in DNS. Create a TXT record at selector._domainkey.yourdomain.com with the public key value provided by your email service. The record value starts with v=DKIM1; followed by the key type and the public key data. Make sure you copy the entire value without any extra spaces or line breaks.

Step 3: Enable DKIM signing. Turn on DKIM signing in your email provider's settings. Some providers enable it by default once the DNS record is detected, while others require you to explicitly activate signing. After enabling, your provider will start adding DKIM signatures to all outgoing messages.

Step 4: Verify your configuration. Use our DKIM Checker to verify that your public key is correctly published and accessible. Enter your domain and selector, and the tool will retrieve and validate your DKIM record. A successful check confirms that receiving servers can verify your signatures.

Key Size: 1024-bit vs 2048-bit

DKIM supports both 1024-bit and 2048-bit RSA keys. While 1024-bit keys still work, 2048-bit keys are the recommended standard in 2026. They provide significantly stronger cryptographic security and are required by some mailbox providers for full trust.

One caveat with 2048-bit keys is that they produce longer DNS TXT records, which may exceed the 255-character limit for a single DNS string. Most DNS providers handle this by splitting the value into multiple strings automatically, but verify this with your provider to avoid truncation issues.

DKIM for Multiple Sending Services

If you use multiple services to send email (for example, Google Workspace for employee email and SendGrid for transactional messages), each service needs its own DKIM selector and key pair. This is perfectly normal and supported by the DKIM standard. Each service signs with its own private key, and you publish each corresponding public key under a different selector in DNS.

Make sure every service that sends email on your behalf has DKIM configured. A common mistake is setting up DKIM for your primary mail server but forgetting about marketing tools, CRM systems, or helpdesk platforms that also send from your domain.

Troubleshooting Common DKIM Issues

Signature verification fails: This usually means the public key in DNS does not match the private key used for signing, or the DNS record has formatting errors. Double-check the record value and ensure there are no extra spaces, missing semicolons, or truncated key data.

DNS record not found: Verify that the selector name matches exactly what your email provider expects. Remember that the record should be at selector._domainkey.yourdomain.com, not just _domainkey.yourdomain.com. DNS propagation can take up to 48 hours, so check again later if you just created the record.

Emails pass DKIM but fail DMARC: DMARC requires alignment between the signing domain and the From header domain. If your DKIM signature uses a different domain than your From address, DMARC alignment will fail. Use our DMARC Checker and SPF Checker to diagnose alignment issues.

DKIM as Part of Your Authentication Stack

DKIM works best when combined with SPF and DMARC. SPF validates the sending server, DKIM validates the message integrity, and DMARC ties them together with a policy that tells receivers what to do when checks fail. Run a full Domain Health Check to see how all three protocols are configured for your domain.

For a comprehensive overview of how these protocols work together, read our guide on SPF, DKIM & DMARC explained. If you are specifically working on DMARC implementation, our What is DMARC article covers policy configuration in detail.