How to Set Up DKIM: Clear Steps You Can Follow Today

DKIM, or DomainKeys Identified Mail, is an email authentication protocol that verifies the authenticity of outbound emails. It works by using a private cryptographic key generated by your mail server to create a digital signature based on the email’s content. This signature is added to the message header. Recipient servers then use a corresponding public key, published in your domain’s DNS, to confirm that the email originated from an authorized sending server, was not altered in transit, and was not forged.

Proper DKIM configuration plays a direct role in improving email security, strengthening deliverability, and reducing spoofing attempts. This article walks through how to set up DKIM step by step, helping you implement the protocol correctly for your domain and ensure your emails are properly authenticated from the start.

Simplify DKIM with PowerDMARC!

Why DKIM is Essential for Your Domain

Setting up DKIM strengthens email authentication and supports both security and reliable message delivery without adding complexity for recipients.

• DKIM improves email deliverability by helping mailbox providers verify message authenticity and reduce spam filtering.
• It supports a stronger sender reputation by lowering the likelihood of your emails being flagged or blocked.
• DKIM protects message integrity by detecting whether email content has been altered during delivery.
• It increases recipient trust when combined with SPF and DMARC, supporting consistent engagement and inbox placement.
• DKIM aligns your domain with modern email security requirements enforced by major mailbox providers.

How to Set Up DKIM

Setting up DKIM tends to follow the same overall flow no matter which platform you’re using, even though the exact steps and dashboards can look a little different depending on your email provider or DNS host. In most cases, the process comes down to a few core actions: generating a DKIM key, publishing the public key in DNS, enabling DKIM signing on your mail server, and then checking that everything is authenticating the way it should.

1. Create your DKIM record

Generate your DKIM record through your email service provider or a DKIM generation tool. This process creates a DKIM key pair consisting of a private key, which remains on your mail server, and a public key, which is published in your DNS as a TXT record. For stronger security and better long-term protection, it is recommended to use 2048-bit DKIM keys.

2. Access your DNS management console

To get started, you need access to your Domain Name System. You can contact your DNS provider or hosting company if you are unsure where your DNS is managed. In most cases, DNS settings can be found in your domain registrar or hosting dashboard under sections labeled DNS management, DNS records, or zone editor. When adding your DKIM record, make sure it is published at the domain level specified by your email provider, as placing the record in the wrong zone, or subdomain, can prevent DKIM from working correctly.

3. Add the DKIM record to your DNS settings

Publish the DKIM public key (typically as a TXT or CNAME record) in your DNS settings under the selector name you chose (e.g., `s1._domainkey.yourdomain.com`). Save changes. Configure your email sending server(s) to use the corresponding private key to sign your outgoing messages.

4. Verify your DKIM configuration

Once you have configured your DKIM record and allowed time for DNS propagation (which can take up to 48 hours), verify it using our DKIM checker tool. This tool will tell you if your record is valid, error-free, and set up correctly! 

Want to automate your DKIM setup and management process? Get started with Hosted DKIM for free! 

Setup DKIM for Popular Email Services

If you are using different email services to send your business or commercial emails, you need to set up DKIM for each of them. Each provider signs outgoing messages with its own DKIM key and selector, so configuring DKIM individually ensures that every service sending on behalf of your domain is properly authenticated. This prevents authentication gaps, improves overall email deliverability, and ensures all vendors are sending compliant, trusted emails to your recipients.

1. For Google Workspace

Source: Google support

1. Check if you have DKIM already set up for your domain using our DKIM validator tool. 
2. If you are not using Google Workspace, you can use PowerDMARC’s DKIM generator tool to create your record. 
3. If you are using Google Workspace, sign in to Google Admin Console 
4. Go to Menu > Apps > Google Workspace> Gmail.
5. Click on Authenticate Email 
6. Select your domain from the list and click on the Generate New Record button to get started with record creation. Google typically provides a 2048-bit key.
7. Once generated, copy the DNS Host name (TXT record name) and TXT record value (the public key).
8. Publish the TXT record in your DNS settings and save changes. Wait for DNS propagation.
9. Return to the Google Admin Console and click “Start Authentication”.

2. For Microsoft Office 365

Microsoft Office 365 uses two DKIM selectors for each custom domain. These selectors allow Microsoft to rotate DKIM keys automatically without interrupting email delivery, which improves security and reduces the risk of key exposure. Both selectors must be published correctly in DNS for DKIM signing to work as expected.

To configure DKIM for Microsoft Office 365, follow these steps:

• Go to Email authentication settings in the Microsoft Defender portal.
• On the DKIM tab, select the custom domain you want to configure by clicking anywhere on the row except the checkbox.
• In the domain details flyout, check the status. If it displays “No DKIM keys saved for this domain”, select Create DKIM keys.

Microsoft will generate two DKIM selectors and display the required CNAME record values. These records point your domain to Microsoft-managed DKIM keys.

• Copy the two hostnames and their corresponding target values.
• Open your domain registrar’s DNS management interface and create the required CNAME records using the copied values. For example:
  • Hostname: selector1._domainkey → Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
  • Hostname: selector2._domainkey → Value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
• Save the records and allow time for DNS propagation. This can take a few minutes or longer, depending on your DNS provider.
• Once propagation is complete, return to the domain details flyout in the Defender portal and toggle Sign messages for this domain with DKIM signatures to Enabled. If the CNAME records are detected successfully, the status will update.
• To confirm setup, verify that:
  • The toggle is set to Enabled.
• The status shows Signing DKIM signatures for this domain.
• The Last checked date reflects a recent validation.

3. For Godaddy

The process for GoDaddy involves adding the DKIM record (usually a TXT or CNAME record provided by your email service provider or generated by a tool) to your domain’s DNS settings.

• Log in to your GoDaddy account.
• Go to the Domain Portfolio page and select your domain.
• Select DNS from the left-hand menu.
• Click “Add New Record.”
• Enter the details provided by your DKIM setup instructions:

Type: Select TXT or CNAME as required.

Name: Enter the Hostname/Name provided (e.g., selector._domainkey. GoDaddy often automatically appends your domain name).

Value: Paste the DKIM public key value or the target CNAME value.

TTL: Use the default (usually 1 hour) or follow specific instructions.

• Click “Save”. Allow time for DNS propagation.

4. For Cloudflare 

Similar to GoDaddy, setting up DKIM with Cloudflare involves adding the specific DNS record provided by your email service or DKIM generation tool.

• Log in to Cloudflare.
• Select your account and domain.
• Go to DNS → Records.
• Click “Add record”.
• Enter the details for your DKIM record:
  • Type: Select TXT or CNAME as required.
  • Name: Enter the Hostname (e.g., `selector._domainkey`). Cloudflare automatically appends the domain.
  • Content/Target: Paste the DKIM public key value (for TXT) or the target hostname (for CNAME).
  • TTL: Auto is usually fine, or follow specific instructions.
• Ensure Proxy status is set to “DNS only” (gray cloud) for DKIM records.
• Click Save and allow time for DNS propagation.

How to identify your DKIM selector

A common question often raised by domain owners is “How do I find my DKIM selector”? The selector is part of the DKIM signature added to your email headers and corresponds to the specific public key record in your DNS. In order to find your DKIM selector for an email you received or sent:

1) Send a test mail from the configured domain/service to an account you can access (like Gmail).

2) Open the email in your inbox (e.g., Gmail).

3) Click on the three vertical dots (More options) next to the reply button.

4) Select “Show original”.

5) On the “Original Message” page, look for the `DKIM-Signature` header. Within this header, find the `s=` tag. The value assigned to this tag is your DKIM selector (e.g., `s=s1` means the selector is `s1`).

DKIM Best Practices for Stronger Email Authentication

Once DKIM is set up, how you manage and maintain it determines how effective it remains over time. In addition to signing emails correctly, DKIM is also about ensuring long-term reliability, security, and alignment with other authentication protocols. Strong DKIM practices reduce the risk of misconfiguration, improve deliverability consistency, and make it easier to respond to evolving mailbox provider requirements and threat patterns.

Here are the most important DKIM best practices:

• Rotate DKIM keys regularly: Regular key rotation reduces the impact of a compromised private key and limits long-term exposure. Automating rotation or using multiple selectors makes this process safer and easier to manage.
• Use strong DKIM keys and clear selectors: Always use 2048-bit keys for stronger cryptographic protection. Descriptive selectors help distinguish keys across providers and simplify troubleshooting.
• Monitor DKIM authentication results: Review DKIM pass and fail results through DMARC aggregate reports to catch signing errors, DNS issues, or unauthorized use early.
• Combine DKIM with SPF and DMARC: DKIM is most effective when aligned with SPF and enforced through DMARC policies, creating layered protection against spoofing and phishing attempts.

This approach keeps DKIM reliable, scalable, and aligned with modern email security expectations.

Troubleshooting Common DKIM Problems

• DNS propagation delays: Newly published or updated DKIM records may take time (minutes to 48 hours) to propagate across global DNS servers. It’s important to wait sufficiently and verify record presence using external DNS lookup tools before assuming a configuration error.
• Incorrect DKIM record configuration: Typos in the selector name, missing characters in the public key value, incorrect record type (TXT vs. CNAME), or wrongly formatted records can lead to failures. Double-check the hostname and value carefully against the provided instructions before publishing them on your DNS.
• DKIM verification failures (`dkim=fail`): If DKIM fails verification, emails may be marked as spam or rejected. Potential causes include incorrect public key in DNS, private key mismatch on the sending server, message modification by intermediaries (though DKIM is designed to detect this), or overly strict verification by the receiver. Check DKIM signature headers in the email source, confirm the public key in DNS matches the one intended, and analyze DMARC reports for failure patterns.
• Issues with third-party email senders: When using third-party providers (like Mailchimp, SendGrid, Office 365), ensure you follow their specific DKIM setup instructions. Some may require using CNAME records pointing to their domain, while others allow you to publish a TXT record with a key they provide or one you generate. Confirm the provider supports DKIM for your sending domain.
• Selector issues: Using the wrong selector name in the DNS record (mismatching the `s=` tag in the email header) will cause authentication failures. Verify the selector name published in DNS matches the one being used by the sending service in the email headers.

Strengthen Your Authentication Framework Through DKIM

DKIM forms a strong building block when it comes to strengthening your domain’s email security posture. By ensuring the integrity of your email communications using cryptographic verification, it protects your brand reputation from harm and your domain against spoofing and phishing attacks that rely on forged sender information. With millions of unprotected domains worldwide and increasing scrutiny from mailbox providers, understanding how to set up DKIM correctly is an important step toward stronger authentication. When implemented alongside SPF and DMARC, DKIM provides more reliable protection and better email trust. Start your free trial with PowerDMARC to simplify DKIM setup, monitoring, and ongoing management.

Frequently Asked Questions

How long does it take for DKIM to start working?

After publishing the DKIM public key in DNS, propagation can usually take anywhere from a few minutes to up to 48 hours, depending on your DNS provider. Once the record is visible and DKIM signing is enabled on your mail server, all newly sent emails will be signed and authenticated.

How do I verify if my DKIM setup is working?

You can verify DKIM by using a DKIM lookup tool to confirm the DNS record is published correctly, then send a test email and check the message headers for a dkim=pass result. You can also rely on DMARC aggregate reports, which give you a broader view of DKIM authentication results across all of your email traffic, not just a single message.

What happens if DKIM verification fails? 

When DKIM verification fails, receiving mail servers may treat the message as suspicious. Depending on spam filtering rules and DMARC policy settings, the email could be marked as spam, quarantined, or rejected, which can negatively affect deliverability and sender reputation.

Can I use multiple DKIM selectors for the same domain?

Yes. Multiple DKIM selectors are commonly used when sending email through different services or during key rotation. Each selector corresponds to a different key, allowing providers to sign emails independently and enabling smooth key transitions without interrupting email delivery.

What are the common mistakes to avoid during DKIM setup?

Common mistakes include DNS syntax errors, publishing the wrong record type, selector mismatches, failing to enable DKIM signing on the sending platform, incomplete public keys, and testing before DNS propagation completes. Using weak key lengths instead of 2048-bit keys can also reduce security.

“`

• About
• Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

Latest posts by Ahona Rudra (see all)

• PowerDMARC Now Integrates with Elastic SIEM - February 5, 2026
• SEG vs API Email Security: A Detailed Comparsion - February 4, 2026
• Top 11 Email Encryption Services in 2026 - February 4, 2026