How to Set Up DKIM Records: Complete Guide

DKIM (DomainKeys Identified Mail) is an email authentication protocol that lets your domain digitally sign outgoing messages. When a receiving mail server gets a DKIM-signed email, it retrieves your public key from DNS and verifies the cryptographic signature. If the signature is valid, the receiver knows the message genuinely came from your domain and was not altered in transit. Together with SPF and DMARC, DKIM forms the foundation of modern email authentication and is essential for strong deliverability.

Already have DKIM configured?

Use our free DKIM Checker to verify your DKIM record is valid and correctly published, or the DKIM Finder to discover existing DKIM selectors for any domain.

Step 1: Understand DKIM Basics

DKIM works using public-key cryptography. Your mail server holds a private key that it uses to generate a unique signature for every outgoing message. The matching public key is published as a DNS TXT record so any receiving server can look it up. Each DKIM key pair is identified by a selector — a label you choose — which allows you to maintain multiple keys for different services or rotation cycles on the same domain.

When a message is signed, DKIM creates a hash of specific headers and the message body, encrypts that hash with the private key, and adds the result as a DKIM-Signature header. The receiving server uses the selector and domain from that header to fetch the public key via DNS, then decrypts the hash and compares it to its own calculation. A match means the message is authentic and unaltered.

Step 2: Generate a DKIM Key Pair

If your email provider (Google Workspace, Microsoft 365) handles DKIM for you, skip to Step 5. For self-hosted mail servers or services that require you to supply your own keys, generate a 2048-bit RSA key pair using OpenSSL:

# Generate the private key
openssl genrsa -out dkim_private.pem 2048

# Extract the public key
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

The private key (dkim_private.pem) must be kept secure on your mail server. Never share it or commit it to a public repository. The public key (dkim_public.pem) is what you will publish in DNS.

You can also use our DKIM Record Generator to create a properly formatted DNS record from your public key.

Step 3: Choose a Selector Name

A selector is a simple text label that identifies which DKIM key to use. Common conventions include:

default or selector1 — Generic names used by many providers.
google or ms365 — Named after the service that uses the key.
2026q1 or dkim202603 — Date-based names that make rotation tracking easy.

The selector becomes part of the DNS lookup. For example, if your selector is mail2026 and your domain is example.com, the receiving server will query mail2026._domainkey.example.com for the public key. Choose something descriptive that helps you manage multiple keys over time.

Step 4: Create the DNS TXT Record

Log in to your DNS provider or domain registrar.
Navigate to DNS management for your domain.
Create a new TXT record with the host/name set to selector._domainkey (replace selector with your chosen selector name).
Set the value to your DKIM public key record. The format is:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...your_public_key_here...

The v=DKIM1 tag identifies this as a DKIM record. The k=rsa tag specifies the key type. The p= tag contains your base64-encoded public key (remove the PEM headers, footers, and line breaks from the file). If your key is longer than 255 characters, most DNS providers will automatically split it into multiple quoted strings.

Important: DNS record length

A 2048-bit key produces a TXT value of approximately 400 characters, which exceeds the 255-character limit for a single DNS TXT string. Most DNS providers handle splitting automatically. If yours does not, wrap the value in two quoted strings: "first_part" "second_part".

Step 5: Configure Your Mail Server

The configuration process depends on your email platform. Below are instructions for the most common setups:

Google Workspace

Open the Google Admin console and navigate to Apps > Google Workspace > Gmail.
Click "Authenticate email" and select your domain.
Click "Generate new record." Google will provide a selector (usually google) and a TXT value.
Add the TXT record to your DNS as described in Step 4.
Return to the Admin console and click "Start authentication."

Microsoft 365

In the Microsoft 365 Defender portal, go to Email & collaboration > Policies > DKIM.
Select your domain. Microsoft generates two CNAME records (selector1 and selector2).
Publish both CNAME records in your DNS.
Return to the portal and enable DKIM signing for the domain.

Postfix (Self-Hosted)

Install OpenDKIM: sudo apt install opendkim opendkim-tools
Configure /etc/opendkim.conf with your selector, domain, and private key path.
Add the OpenDKIM milter to Postfix in /etc/postfix/main.cf:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Restart both OpenDKIM and Postfix, then publish the public key in DNS.

Step 6: Test Your DKIM Setup

After configuring DKIM and allowing time for DNS propagation (typically a few minutes, up to 48 hours), verify your setup:

DKIM Checker — Enter your domain and selector to confirm the public key is correctly published and the record syntax is valid.
DKIM Finder — Automatically discover DKIM selectors for your domain to verify they are live.
Send a test email — Send a message to a Gmail or Outlook account and inspect the headers. Look for dkim=pass in the Authentication-Results header.
Email Header Analyzer — Paste the full email headers to see a parsed breakdown of authentication results including DKIM.

Step 7: Rotate Keys Periodically

DKIM key rotation is a critical but often overlooked security practice. Rotate your keys every 6 to 12 months to limit exposure if a private key is ever compromised. Here is the recommended process:

Generate a new key pair with a new selector name (e.g., dkim202609 if your current selector is dkim202603).
Publish the new public key in DNS alongside the existing one. Both records can coexist because they use different selectors.
Update your mail server to sign with the new private key and selector.
Wait 48 to 72 hours for any in-flight messages signed with the old key to be delivered and verified.
Remove the old DNS record to complete the rotation.

Using date-based selector names makes it easy to identify which keys are current and which are due for rotation.

Frequently Asked Questions

What is DKIM and why do I need it?

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic signature to outgoing messages. Receiving servers verify this signature against a public key published in your DNS. Without DKIM, recipients cannot confirm that a message was truly sent by your domain and that it was not modified in transit, making your domain more vulnerable to spoofing and phishing attacks.

How long should my DKIM key be?

A 2048-bit RSA key is the current best practice. While 1024-bit keys still work, they are considered weak by modern standards and some security-conscious receivers may flag them. Keys longer than 2048 bits are possible but may exceed the 255-character limit of a single DNS TXT string, requiring you to split the record into multiple strings.

How often should I rotate my DKIM keys?

Rotate your DKIM keys every 6 to 12 months. Regular rotation limits the window of exposure if a private key is compromised. Use a new selector name for each rotation so you can publish the new key before removing the old one, ensuring no messages fail verification during the transition.

Can I have multiple DKIM records for the same domain?

Yes. Unlike SPF, you can publish multiple DKIM records because each one uses a unique selector. This is common when you use multiple email services — for example, one selector for Google Workspace and another for your marketing platform. Each service signs with its own private key and its own selector.

Related Guides