What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify an email hasn't been altered in transit. When you send an email, your mail server signs it with a private key; receiving servers use your public key (published in DNS) to verify the signature. DKIM protects both the email content and the domain reputation.
Why DKIM Matters
Unlike SPF, which only checks the sending IP, DKIM cryptographically proves the email is legitimate:
- Prevents tampering: Recipients can verify no one modified the email after sending
- Builds domain trust: Email providers recognize DKIM-signed messages as more trustworthy
- Works with subdomains: You can sign emails from noreply.yourdomain.com or mail.yourdomain.com separately
- Improves deliverability: Email filters weight DKIM signatures heavily in spam scoring
- Enables DMARC alignment: DMARC policies require either SPF or DKIM alignment to be effective
How DKIM Works
- Your mail server generates a public/private key pair
- You publish the public key in your DNS as a TXT record
- When sending an email, your mail server signs headers and body with the private key
- The signature is added to the email as a header
- The receiving server retrieves your public key from DNS
- They verify the signature; if it matches, DKIM passes
Setting Up DKIM
Step 1: Generate Your DKIM Keys
Your hosting provider or mail server should provide tools to generate DKIM keys. If using cPanel:
- Log in to cPanel
- Navigate to Email Deliverability or Email Authentication
- Select your domain
- Click Generate or Create DKIM (exact name varies by provider)
- Choose a selector name (default is often
defaultorselector1)
A selector allows you to use multiple DKIM keys for the same domain (useful for rotating keys).
Step 2: Copy Your Public Key
Your control panel will display a public key that looks like:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
This is your public key. Copy the entire value after p=.
Step 3: Add the DKIM Record to DNS
1. Log in to your DNS provider (often your hosting control panel)
2. Navigate to DNS Records or Zone Management
3. Create a new TXT record
4. Use the hostname format: {selector}._domainkey.yourdomain.com
- If your selector is default, enter: default._domainkey.yourdomain.com
- If your selector is selector1, enter: selector1._domainkey.yourdomain.com
5. Paste the full public key value as the record content
6. Save the record
Example DNS entry:
| Type | Name | Value |
|------|------|-------|
| TXT | default._domainkey | v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC... |
Step 4: Enable DKIM on Your Mail Server
Return to your control panel and confirm the DKIM record is enabled for your domain. Most providers auto-enable it once the DNS record is detected.
Step 5: Verify Your DKIM Setup
After DNS propagation (usually within a few hours), verify your DKIM record:
nslookup -type=TXT default._domainkey.yourdomain.com
Or use an online DKIM checker tool.
To test if emails are being signed, send an email from your domain to a Gmail account. Open it, click the three-dot menu, select Show original, and search for DKIM=PASS in the headers.
DKIM Best Practices
- Keep private keys secure: Your mail server is the only system that should have access to the private key
- Use a consistent selector: Stick with one selector per domain for simplicity (e.g.,
default) - Rotate keys periodically: Generate new key pairs every 1–2 years as a security best practice
- Enable for all sending addresses: Both system emails and user-sent messages should be DKIM-signed
- Monitor alignment: Your DKIM domain (the one in the DNS selector) should match the domain in your email's "From" address
Troubleshooting DKIM
DKIM shows "FAIL" — Check that your public key was copied completely and without extra spaces. Re-verify the DNS record matches exactly.
DKIM not signing emails — Confirm DKIM is enabled in your mail server settings and the DNS record exists. Mail servers sometimes require a service restart.
"Selector not found" — Ensure the DNS hostname includes ._domainkey. between your selector and domain (e.g., selector1._domainkey.yourdomain.com).
Multiple DKIM records conflict — If you have multiple selectors for the same domain, ensure each has a unique name and they don't overlap.
DKIM and Subdomains
You can create separate DKIM records for subdomains:
default._domainkey.mail.yourdomain.com— For emails from mail.yourdomain.comdefault._domainkey.noreply.yourdomain.com— For emails from noreply.yourdomain.com
This allows different sending systems to maintain separate key rotations.
Next Steps
Once DKIM is working, combine it with SPF and DMARC for the strongest email authentication. DMARC policies can enforce both SPF and DKIM alignment, giving you complete control over how your domain is used in email.