Complete DKIM Setup Guide

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email hasn't been altered in transit and was actually sent from your domain.

When you send an email, your mail server adds a digital signature to the email header using a private key. Receiving servers verify this signature using your public key published in DNS. If the signature is valid and the content hasn't changed, the email passes DKIM authentication.

How DKIM Works

Understanding DKIM Selectors

A DKIM selector is a unique identifier for your DKIM key pair. It allows you to have multiple DKIM keys for different purposes or to rotate keys without disrupting email flow.

Step 1: Generate DKIM Keys

The method for generating DKIM keys depends on your email provider or mail server:

Google Workspace

1. Sign in to Google Admin console
2. Go to Apps → Google Workspace → Gmail → Authenticate email
3. Click "Generate new record" under DKIM authentication
4. Choose prefix length (2048-bit recommended)
5. Copy the DNS TXT record values provided

Microsoft 365

1. Sign in to Microsoft 365 Defender portal
2. Go to Email & collaboration → Policies & rules → Threat policies
3. Click on DKIM
4. Select your domain and click "Create DKIM keys"
5. Copy the two CNAME records provided (selector1 and selector2)

Using OpenSSL (Self-Hosted)

For self-hosted mail servers, generate keys using OpenSSL:

Step 2: Add DKIM Record to DNS

The format of your DKIM DNS record varies by provider:

TXT Record Format

Common Provider-Specific Examples

Step 3: Configure Your Mail Server

After publishing your DKIM public key in DNS, configure your mail server to sign outgoing emails:

Google Workspace

1. After adding DNS records, return to Google Admin console
2. Click "Start authentication" button
3. Google will verify your DNS records automatically
4. DKIM signing will begin within 24-48 hours

Microsoft 365

1. After adding CNAME records, return to DKIM settings
2. Toggle "Sign messages for this domain with DKIM signatures" to On
3. Microsoft will verify DNS records automatically
4. DKIM signing will start immediately after verification

Postfix (Self-Hosted)

Install and configure OpenDKIM:

Step 4: Verify DKIM is Working

After configuration, verify that DKIM is properly signing your emails:

Send a Test Email

1. Send a test email to yourself or [email protected]
2. View the email's raw source/headers
3. Look for a DKIM-Signature header
4. Verify the signature shows d=yourdomain.com

Best Practices

1. Use 2048-bit Keys

While 1024-bit keys are still supported, 2048-bit keys provide better security and are recommended by most email providers.

2. Rotate DKIM Keys Regularly

Rotate your DKIM keys every 6-12 months. Use multiple selectors to enable smooth key rotation without disrupting email flow.

3. Sign All Outgoing Email

Configure your mail server to sign all outgoing email, not just marketing or transactional emails. This provides maximum protection.

4. Monitor DKIM Failures

Enable DMARC reporting to monitor DKIM authentication failures and identify configuration issues or unauthorized sending sources.

Troubleshooting

DKIM Record Not Found

• Verify the selector name matches your mail server configuration
• Check that the hostname includes ._domainkey.
• Wait 15-30 minutes for DNS propagation
• Use dig TXT selector._domainkey.yourdomain.com to verify

DKIM Signature Verification Failed

• Ensure your public key in DNS matches the private key on your server
• Check that the key is properly formatted (no line breaks or extra spaces)
• Verify the selector in your mail server config matches DNS
• Confirm your mail server's DKIM signing service is running

DNS Record Too Long

• Some DNS providers don't support long TXT records
• Split the public key into multiple strings in the TXT record
• Format: v=DKIM1; k=rsa; p="string1" "string2"
• Alternatively, use a 1024-bit key (less secure but shorter)