DKIM Record: What It Is and How to Set It Up

DKIM adds a cryptographic signature to every email — here's how it works and how to configure it.

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic digital signature to every outgoing email. This signature is generated using a private key stored on your mail server and verified by the recipient's server using a public key published in your DNS.

When a recipient's mail server receives your email, it looks up your public DKIM key in DNS, uses it to decrypt the signature in the email header, and checks whether it matches the email content. If it matches, the email hasn't been tampered with in transit and genuinely came from your server.

  • DKIM proves the email wasn't modified after it was sent — it's a tamper-detection seal.
  • DKIM works alongside SPF — SPF checks the sending server, DKIM checks the message content.
  • Without DKIM, your emails are more likely to be flagged as spam by Gmail, Outlook, and Yahoo.

How DKIM signatures work

Your mail server generates a unique hash of selected parts of the email (headers + body). It encrypts this hash with your private key to create the DKIM signature. This signature is added to the email as a header ('DKIM-Signature').

The recipient's server retrieves your public key from DNS (published as a TXT record at selector._domainkey.yourdomain.com), uses it to decrypt the signature, and compares the result to its own hash of the received email. Match = pass. No match or missing key = fail.

DKIM-Signature header (what your email contains): DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourdomain.com; s=google; h=from:to:subject:date:message-id; bh=hash_of_body; b=base64_encoded_signature
DKIM DNS TXT record (what you publish in DNS): Record name: google._domainkey.yourdomain.com Record type: TXT Record value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...(your public key)

Setting up DKIM for Google Workspace

Step 1: Log into Google Admin Console (admin.google.com). Step 2: Go to Apps → Google Workspace → Gmail → Authenticate email. Step 3: Select your domain and click 'Generate new record'. Step 4: Google will give you a DNS TXT record name (e.g., google._domainkey.yourdomain.com) and a value starting with 'v=DKIM1'. Step 5: Add this TXT record to your domain DNS. Step 6: Return to Google Admin and click 'Start authentication'.

DNS propagation takes 5–30 minutes typically. Once Google confirms DKIM is active, every email you send will be signed automatically.

  • The DKIM key Google generates is 2048-bit — this is the recommended key size.
  • If you're on Cloudflare, the TXT record should be DNS only (grey cloud).
  • After publishing the DNS record, wait at least 15 minutes before clicking 'Start authentication'.

Setting up DKIM for custom SMTP / other providers

For custom SMTP servers (Postfix, Exim, PowerMTA), you need to install a DKIM signing package (e.g., OpenDKIM for Linux) and generate a key pair. For managed email providers (Zoho, Outlook, Fastmail), DKIM setup is in their admin panel — each provider's documentation covers the exact steps.

The process is always the same: generate a key pair in your sending tool, copy the public key DNS record they provide, publish it in your DNS, then verify the setup.

  • Use 2048-bit RSA keys — 1024-bit is considered weak and may be rejected.
  • DKIM selectors (e.g., 'google', 'mail', 'selector1') let you have multiple active keys for different services.
  • Rotate your DKIM keys every 6–12 months as a security best practice.

Verifying and troubleshooting DKIM

To verify DKIM is working: send a test email to a Gmail account you control, open the email, click the three-dot menu → 'Show original', and look for 'DKIM: PASS' in the headers. Alternatively, use MXToolbox (mxtoolbox.com/dkim.aspx) or mail-tester.com to test.

Common issues: Key not propagated yet (wait longer or check DNS TTL). Key mismatch (you edited the DNS value after publishing — regenerate). Wrong selector (the selector in the DKIM-Signature header must match the DNS subdomain). Email modified in transit (a mailing list or forwarding rule stripped the signature).

  • Gmail's 'Show original' view is the fastest way to check DKIM status manually.
  • mail-tester.com gives a full deliverability report including DKIM in one test.
  • If DKIM fails after setting up correctly, check that your DNS host didn't break the record (some auto-wrap long TXT records incorrectly).