How to dkim record

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: A DKIM record is a DNS TXT record that helps authenticate outgoing emails by cryptographically signing them. To set it up, you generate a public/private key pair, publish the public key in your domain's DNS as a TXT record, and configure your mail server to use the private key for signing. This allows receiving servers to verify the sender's identity and ensure the email hasn't been tampered with.

Key Facts

DKIM stands for DomainKeys Identified Mail.
It uses public-key cryptography to verify email authenticity.
DKIM records are published in your domain's DNS as TXT records.
A valid DKIM signature prevents email spoofing and tampering.
Implementing DKIM can improve email deliverability rates.

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by enabling the receiver to check that an email, from a domain that it knows to be legitimate, actually came from that domain. This is achieved by using public-key cryptography. A digital signature is added to the email's header, which can be verified by checking the sender's public key published in their DNS records. If the signature is valid, it confirms that the email originated from the claimed domain and that the message content has not been altered in transit.

Why is DKIM Important?

In today's digital landscape, email remains a primary communication channel for businesses and individuals. However, it's also vulnerable to abuse, such as phishing and spamming, where attackers impersonate legitimate senders. DKIM plays a crucial role in combating these threats. By providing a verifiable link between the email content and the sending domain, DKIM helps recipients trust the emails they receive. This trust is vital for maintaining brand reputation and ensuring that important communications reach their intended audience. Furthermore, many email service providers (ESPs) and internet service providers (ISPs) use DKIM (along with SPF and DMARC) as a factor in their spam filtering algorithms. A properly implemented DKIM record can therefore significantly improve your email deliverability rates, ensuring your messages are less likely to end up in the spam folder.

How Does DKIM Work?

The DKIM process involves several steps:

Key Generation: A pair of cryptographic keys is generated: a private key and a public key. The private key is kept secret by the domain owner (usually stored on their mail server), while the public key is made available to anyone.
Signing Outgoing Emails: When an email is sent from a DKIM-enabled mail server, the server uses the private key to create a DKIM signature. This signature is generated based on specific parts of the email, typically the headers and the body. The signature is then appended to the email's header as a DKIM-PleA header.
Publishing the Public Key: The public key is published in the domain's DNS (Domain Name System) records. It's usually added as a TXT record, with a specific selector name (e.g., `selector._domainkey.yourdomain.com`). The selector is a piece of information that helps the receiving server identify which public key to use for verification.
Verification by Receiving Server: When a recipient's mail server receives an email with a DKIM signature, it performs the following steps:
- It extracts the DKIM-PleA header, which contains the signature and the selector.
- Using the selector, it queries the sender's DNS for the corresponding public key (the TXT record).
- It then uses the public key to verify the signature against the parts of the email that were signed.
- If the signature is valid, it confirms that the email originated from the claimed domain and that its content has not been altered since it was signed. If the signature is invalid or cannot be verified, the email may be flagged as suspicious or rejected.

Setting Up a DKIM Record

The exact steps for setting up DKIM can vary depending on your email provider, hosting service, or mail server software. However, the general process involves:

Generate DKIM Keys: Most email hosting providers (like Google Workspace, Microsoft 365, Zoho Mail) offer tools or instructions for generating DKIM keys. If you manage your own mail server, you might use tools like OpenSSL to create the key pair. You'll typically choose a key length (e.g., 1024-bit or 2048-bit, with 2048-bit being more secure).
Configure Your Mail Server: You'll need to configure your outgoing mail server (e.g., Postfix, Sendmail, Exim) to use the private key to sign outgoing emails. This usually involves installing a DKIM signing module (like OpenDKIM) and updating its configuration files.
Publish the Public Key in DNS: This is a critical step. You need to access your domain's DNS management interface (provided by your domain registrar or DNS hosting provider). You will add a new TXT record. The record's name (or host) will typically be `selector._domainkey` (replace `selector` with the one you chose during key generation, and `yourdomain.com` with your actual domain). The value of the record will be `v=DKIM1; k=rsa; p=PUBLIC_KEY_STRING`. The `PUBLIC_KEY_STRING` is the public key generated in step 1.
Test Your Setup: After publishing the DNS record, it can take some time for the changes to propagate across the internet (DNS propagation). You can then send test emails to services like mail-tester.com or use online DKIM checker tools to verify that your DKIM record is correctly set up and that your emails are being signed properly.

DKIM Record Structure

A typical DKIM record is a TXT record in your DNS. Its structure looks something like this:

selector._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Let's break down the components:

`selector`: A unique identifier chosen by the domain owner. It helps differentiate between multiple DKIM keys for the same domain. Common selectors include `default`, `mail`, `selector1`.
`_domainkey`: A subdomain required by the DKIM standard.
`yourdomain.com`: Your actual domain name.
`IN TXT`: Specifies that this is an Internet DNS record of type TXT.
`v=DKIM1`: Indicates the version of DKIM being used (currently DKIM1).
`k=rsa`: Specifies the public key algorithm used (most commonly RSA).
`p=PUBLIC_KEY_STRING`: The actual public key string. This is a long string of characters representing your public key.

Some implementations might include additional tags like `s=` (subdomain mode) or `h=` (signed headers), but the core components are `v`, `k`, and `p`.

Troubleshooting Common DKIM Issues

If your DKIM setup isn't working, consider these common problems:

DNS Propagation Delay: Give DNS changes sufficient time to propagate (up to 48 hours, though often much faster).
Incorrect DNS Record Format: Ensure the TXT record is entered exactly as specified, with no typos, extra spaces, or missing quotes. Pay attention to the `selector._domainkey` part.
Key Mismatch: Verify that the public key published in DNS exactly matches the public key corresponding to the private key used by your mail server.
Mail Server Configuration: Double-check that your mail server is correctly configured to use the DKIM private key and to sign outgoing emails.
Using Multiple DKIM Records: While possible, managing multiple DKIM records with different selectors can be complex. Ensure each is correctly configured and that your server uses the intended key.
Selector Conflicts: If multiple services or servers use DKIM for your domain, ensure they use distinct selectors to avoid conflicts.

Implementing DKIM is a vital step in securing your email communications and enhancing your sender reputation. When properly configured alongside SPF and DMARC, it provides a robust layer of authentication that benefits both senders and receivers.