How To Set Up DKIM: A Step-by-Step Guide For Your Domain

Key Takeaways

DKIM authenticates emails by verifying message integrity and confirming that messages were sent by authorized servers.
Setting up DKIM involves generating a key pair, publishing the public key as a DNS record, and enabling signing on your email provider.
DKIM improves deliverability and sender reputation by helping mailbox providers trust your domain.
Each email service requires its own DKIM configuration, often using separate selectors for flexibility and key rotation.
DKIM works best when combined with SPF and enforced through DMARC, supported by regular monitoring and key maintenance.

If your emails are landing in spam or getting rejected, chances are your domain isn’t properly authenticated.

One of the most important steps you can take to fix this is setting up DKIM: a protocol that proves your emails are legitimate and haven’t been tampered with.

In this guide, we’ll walk you through how to set up DKIM for your domain, step by step, so you can protect your sender reputation and improve your email deliverability.

What is DKIM?

DKIM, or DomainKeys Identified Mail, is an email authentication method that uses digital signature schemes based on public key cryptography to verify where an email came from. It works by pairing two cryptographic keys: a private key that the sender uses to sign outgoing messages, and a public key that receiving servers use to verify those signatures.

Every email sent from a DKIM-enabled domain includes a DKIM header containing a digital signature; essentially a hash code computed by combining the email’s content with the private key using a security algorithm.

The corresponding public key is stored in a publicly available DNS record known as the DKIM record. When an email arrives, the receiving server looks up this record, retrieves the public key, and uses it to verify the signature. If the email headers or body have been altered in any way during transit, the verification fails.

Expert Tip: For enterprise environments, document your current email infrastructure before making changes. This includes third-party senders, subdomains, and any existing authentication records.

Why is DKIM Essential for Your Domain?

DKIM setup strengthens email authentication and supports both security and reliable message delivery without adding complexity for recipients. Here’s why setting up DKIM matters:

Prevents domain spoofing: DKIM helps prevent unauthorized spoofing of your domain by authenticating every outgoing email with a digital signature, making it significantly harder for attackers to send spam emails pretending to be you.
Protects your sender reputation: When receiving servers can verify that your emails are legitimate and untampered, your domain builds trust over time. This directly protects your brand and sender reputation.
Improves email deliverability: DKIM significantly increases your email delivery rates. Without it, emails that fail DKIM and SPF checks get marked as spam or are not delivered at all by receiving email servers.
Ensures email integrity: The digital signature in DKIM ensures that the email has not been changed in transit. If the headers or body are altered after sending, verification fails. Recipients can trust that what they receive is exactly what you sent.
Enables DMARC compliance: DKIM is a requirement to become DMARC compliant. Without it, you can’t enforce a DMARC policy, leaving your domain vulnerable to phishing and impersonation attacks.
Strengthens your overall email security stack: DKIM, along with SPF and DMARC, makes it much more difficult for attackers to impersonate your domain. Together, these three protocols form the foundation of modern email authentication.

How Does DKIM Work?

DKIM is a technical process, but the core idea is simple. It allows email providers to verify that a message came from the stated domain and was not changed in transit. Here’s how it works.

Signing: The sending server uses a private key to generate a digital signature, which is attached to the email as a DKIM-Signature header field.
Publishing: The domain’s public key is published as a DNS TXT record (the DKIM record) so any receiving server can access it.
Verification: The receiving email server checks the DKIM DNS record, retrieves the public key, and uses it to verify the digital signature.
Pass or fail: If the signature matches, the email is authenticated. If the email headers or body were changed in transit, verification fails, and the message may be flagged as spam or rejected.

The DKIM-Signature header also contains a selector, which tells the receiving server exactly which public key to use for verification. This is especially important when a domain uses multiple DKIM keys.

Simplify DKIM with PowerDMARC!

Secure My Domain Now Book a demo

No credit card required. Cancel anytime.

DKIM Setup Prerequisites

Before you begin the DKIM setup process, you need to make sure a few things are in place. Skipping any of these can lead to misconfigurations or failed authentication, so it’s worth taking a moment to confirm you have everything ready.

Admin access to your domain’s DNS settings: You’ll need to create a TXT record at your domain provider to publish your public DKIM key
Admin access to your email service provider: Whether you use Google Workspace, Microsoft 365, or another provider, you must be signed in as a super administrator to generate or obtain DKIM keys
A list of all your sending domains and services: You need to create DKIM records for every domain and service authorized to send mail on your organization’s behalf, including third-party tools
A DKIM key pair: Major providers can auto-generate these in their admin consoles, or you can obtain them from third-party portals or use tools like PowerDMARC’s DKIM Record Generator

Once you’ve confirmed all of this, you’re ready to proceed with the setup.

How to Set Up DKIM for Your Domain (Step-by-Step)

Now that you have everything in place, it’s time to walk through the actual DKIM setup process. Follow each step carefully to ensure your DKIM configuration is accurate and functional from the start.

Step 1: Generate Your DKIM Key Pair

Log in to your email service provider’s admin console and generate a DKIM key pair. This will give you a private key (which stays with your provider) and a public key that you’ll add to your DNS.

If your provider is a third-party service, navigate to their portal to obtain the DKIM key. When choosing a key size, opt for 2048 bits for better security.

Step 2: Create Your DKIM TXT Record in DNS

Head to your domain provider’s DNS management panel and create a new TXT record. The record name follows a specific format: <selector>._domainkey.<yourdomain.com>, where the selector is a unique string used to identify the specific DKIM key.

The record value typically starts with v=DKIM1; k=rsa; p= followed by your public key. Follow the specific instructions provided by your email provider and domain host to ensure accuracy.

Step 3: Enable DKIM Signing in Your Email Service Provider

Go back to your email service provider’s settings and enable DKIM signing. This tells the provider to start attaching a DKIM signature to every outgoing email from your domain.

Without this step, your emails won’t carry a DKIM-Signature header even if the DNS record is in place.

Step 4: Wait for DNS Propagation

After adding the DKIM key, it can take up to 48 hours for DKIM authentication to start working.

During this time, DNS changes propagate across the internet, so don’t panic if verification doesn’t pass immediately.

Step 5: Repeat for Additional Services

If you use multiple email services, repeat Steps 1–4 for each one. Each service requires its own unique DKIM record with a distinct selector to ensure all your sending sources are properly authenticated.

How to Verify Your DKIM Setup

Next, you also need to confirm that everything is working correctly. A misconfigured record or a typo in your TXT entry can silently break authentication, so it’s important to verify your setup before assuming your emails are protected. Here are a few reliable ways to check.

Check email headers: Send a test email and inspect the message headers for a DKIM-Signature field and DKIM=PASS in the authentication results
Send a test email to Gmail: Open the received email, click “Show original,” and look for DKIM pass status in the authentication details
Use online verification tools: Tools like MXToolbox let you look up your DKIM record by entering your domain and selector to confirm the public key is published correctly
Allow time for propagation: If verification fails, remember it can take up to 48 hours for DNS changes to fully propagate before troubleshooting further

DKIM Setup for Common Email Providers

If you’re using different email services to send your business or commercial emails, you’ll need to set up DKIM for each of them.

Each provider signs outgoing messages with its own DKIM key and selector, so configuring DKIM individually ensures that every service sending on behalf of your domain is properly authenticated.

1. For Google Workspace

For small businesses using Google Workspace, this setup typically takes 15-20 minutes and provides immediate email security benefits.

Source: Google support

Check if you have DKIM already set up for your domain using our DKIM validator tool.
If you are not using Google Workspace, you can use PowerDMARC’s DKIM generator tool to create your record.
If you are using Google Workspace, sign in to Google Admin Console
Go to Menu > Apps > Google Workspace> Gmail.
Click on Authenticate Email
Select your domain from the list and click on the Generate New Record button to get started with record creation. Google typically provides a 2048-bit key.
Once generated, copy the DNS Host name (TXT record name) and TXT record value (the public key).
Publish the TXT record in your DNS settings and save changes. Wait for DNS propagation.
Return to the Google Admin Console and click “Start Authentication”.

2. For Microsoft Office 365

Microsoft Office 365 uses two DKIM selectors for each custom domain. These selectors allow Microsoft to rotate DKIM keys automatically without interrupting email delivery, which improves security and reduces the risk of key exposure. Both selectors must be published correctly in DNS for DKIM signing to work as expected.

To configure DKIM for Microsoft Office 365, follow these steps:

Go to Email authentication settings in the Microsoft Defender portal.
On the DKIM tab, select the custom domain you want to configure by clicking anywhere on the row except the checkbox.
In the domain details flyout, check the status. If it displays “No DKIM keys saved for this domain”, select Create DKIM keys.

Microsoft will generate two DKIM selectors and display the required CNAME record values. These records point your domain to Microsoft-managed DKIM keys.

Copy the two hostnames and their corresponding target values.
Open your domain registrar’s DNS management interface and create the required CNAME records using the copied values. For example:
- Hostname: selector1._domainkey → Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
- Hostname: selector2._domainkey → Value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Save the records and allow time for DNS propagation. This can take a few minutes or longer, depending on your DNS provider.
Once propagation is complete, return to the domain details flyout in the Defender portal and toggle Sign messages for this domain with DKIM signatures to Enabled. If the CNAME records are detected successfully, the status will update.
To confirm setup, verify that:
- The toggle is set to Enabled.
The status shows Signing DKIM signatures for this domain.
The Last checked date reflects a recent validation.

3. For Godaddy

The process for GoDaddy involves adding the DKIM record (usually a TXT or CNAME record provided by your email service provider or generated by a tool) to your domain’s DNS settings.

Log in to your GoDaddy account.
Go to the Domain Portfolio page and select your domain.
Select DNS from the left-hand menu.
Click “Add New Record.”
Enter the details provided by your DKIM setup instructions:

Type: Select TXT or CNAME as required.

Name: Enter the Hostname/Name provided (e.g., selector._domainkey. GoDaddy often automatically appends your domain name).

Value: Paste the DKIM public key value or the target CNAME value.

TTL: Use the default (usually 1 hour) or follow specific instructions.

Click “Save”. Allow time for DNS propagation.

4. For Cloudflare

Similar to GoDaddy, setting up DKIM with Cloudflare involves adding the specific DNS record provided by your email service or DKIM generation tool.

Log in to Cloudflare.
Select your account and domain.
Go to DNS → Records.
Click “Add record”.
Enter the details for your DKIM record:
- Type: Select TXT or CNAME as required.
- Name: Enter the Hostname (e.g., `selector._domainkey`). Cloudflare automatically appends the domain.
- Content/Target: Paste the DKIM public key value (for TXT) or the target hostname (for CNAME).
- TTL: Auto is usually fine, or follow specific instructions.
Ensure Proxy status is set to “DNS only” (gray cloud) for DKIM records.
Click Save and allow time for DNS propagation.

DKIM Best Practices

Getting DKIM up and running is a great first step, but maintaining it properly over time is what truly keeps your domain secure and your emails landing in inboxes. Email threats evolve constantly, so your DKIM setup should be treated as an ongoing process rather than a one-time task. Follow these best practices to stay ahead:

Never share or expose your private key: Treat it like a password; only your email service provider should have access to it.
Use strong DKIM keys and clear selectors: Always use 2048-bit keys for stronger cryptographic protection. Descriptive selectors help distinguish keys across providers and simplify troubleshooting.
Monitor DKIM authentication results: Review DKIM pass and fail results through DMARC aggregate reports to catch signing errors, DNS issues, or unauthorized use early.
Keep your DNS records clean: Remove outdated DKIM TXT records from previous rotations or decommissioned services to avoid confusion and potential misuse.

Expert Tip: For enterprise environments, implement a DKIM key management policy that includes regular audits, automated monitoring, and documented procedures for key rotation across all email services.

Troubleshooting Common DKIM Problems

If DKIM is set up but not working as expected, a few common issues are usually to blame. This section covers the most frequent DKIM problems and how to fix them.

Problem	Cause	Solution
DNS propagation delays	Global DNS update timing	Wait 24-48 hours, use external DNS tools
Incorrect record configuration	Typos, wrong format, missing characters	Double-check hostname and value syntax
DKIM verification failures	Key mismatch, message modification	Verify public key matches private key
Third-party sender issues	Missing provider-specific setup	Follow provider's DKIM instructions
Selector mismatches	DNS selector ≠ email header selector	Ensure selector names match exactly

Strengthen Your Authentication Framework Through DKIM

DKIM is a critical building block for strengthening your domain’s email security posture. By verifying the integrity of your email communications through cryptographic signatures, it protects your brand reputation and defends your domain against spoofing and phishing attacks that rely on forged sender information.

With millions of unprotected domains worldwide and increasing scrutiny from mailbox providers, knowing how to set up DKIM correctly is essential. When paired with SPF and DMARC, DKIM delivers more reliable protection and builds stronger email trust across the board.

Start your free trial with PowerDMARC to simplify your DKIM setup, monitoring, and ongoing management.

Frequently Asked Questions

1. How do I set up DKIM for my email?

To set up DKIM for your email:

Generate a DKIM key pair through your email provider
Choose a unique selector name
Publish the public key as a TXT record in your DNS
Enable DKIM signing on your mail server
Test the configuration using a DKIM validation tool

2. How do I know if DKIM is set up correctly?

You can verify DKIM setup by using online validation tools, sending test emails and checking headers for “dkim=pass” results, and monitoring DMARC aggregate reports for DKIM authentication statistics across your email traffic.

3. What is an example of a DKIM record?

A typical DKIM TXT record looks like: “v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA…” where v=DKIM1 is the version, k=rsa specifies the key type, and p= contains the base64-encoded public key.

4. How long does it take for DKIM to start working?

After publishing the DKIM public key in DNS, propagation can usually take anywhere from a few minutes to up to 48 hours, depending on your DNS provider. Once the record is visible and DKIM signing is enabled on your mail server, all newly sent emails will be signed and authenticated.

5. How do I verify if my DKIM setup is working?

You can verify DKIM by using a lookup tool to confirm the DNS record is published correctly, then send a test email and check the message headers for a dkim=pass result. You can also rely on DMARC aggregate reports, which give you a broader view of DKIM authentication results across all of your email traffic, not just a single message.

6. What happens if DKIM verification fails?

When DKIM verification fails, receiving mail servers may treat the message as suspicious. Depending on spam filtering rules and DMARC policy settings, the email could be marked as spam, quarantined, or rejected, which can negatively affect deliverability and sender reputation.

About
Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

How to Set Up DKIM: Clear Steps You Can Follow Today