How to Set Up DKIM for Your Domain
DKIM adds a cryptographic signature to every email you send, so receiving servers can confirm the message really came from your domain and was not altered in transit. Without it, your mail leans entirely on SPF, and major providers increasingly expect both. Setting up DKIM sounds intimidating because of the cryptography involved, but in practice your mail provider does all the hard math. Your job is just to flip a switch and copy one DNS record. Here is the whole process.
Step 1: Turn on DKIM at your mail provider
DKIM keys are generated by whoever sends your mail, not by you. So the first stop is your provider's admin area.
On Google Workspace: open the Admin console, go to Apps, then Google Workspace, then Gmail, then Authenticate email, select your domain, and click Generate new record. On Microsoft 365: open the Defender portal, go to Email authentication settings, choose DKIM, select your domain and enable signing (Microsoft will show you two CNAME records instead of one TXT record, which is normal). Newsletter and transactional tools like Mailchimp, Brevo or Postmark have a similar domain authentication page in their settings. Do this for every service that sends mail as your domain, since each one signs with its own key.
Step 2: Copy the selector and the key
Your provider will now show you a DNS record to publish. It has two parts you should recognize. The selector is a short name like google or selector1, and it becomes part of the record's host name, for example google._domainkey.yourdomain.com. The value is either a long TXT string starting with v=DKIM1 (that long jumble is the public key, and it is meant to look like that) or, for some providers, a pair of CNAME targets.
Copy both parts exactly as shown. A single missing character in the key breaks the signature check, so use the copy button if the dashboard offers one rather than selecting the text by hand.
Step 3: Add the record at your DNS host
Now publish the record wherever your DNS lives, usually your registrar. On Porkbun: log in, open Domain Management, click DNS next to your domain, choose TXT (or CNAME if your provider gave you CNAMEs) as the type, paste the host portion your provider gave you (for example google._domainkey) into the host field, paste the key into the answer field, and save. On Cloudflare: open your site, go to the DNS tab, click Add record, pick TXT or CNAME, enter the name and value, and save. If Cloudflare offers to proxy a CNAME record, set it to DNS only, since mail records must not be proxied.
One caution: if your DNS host quietly appends your domain to host names, entering google._domainkey.yourdomain.com in full can produce a broken doubled name. Enter just the part before your domain and check the preview.
Step 4: Verify and send a test
Go back to your mail provider's dashboard and click its verify or activate button. Google calls this Start authentication. If it fails, wait an hour, DNS can be slow to propagate, and try again before changing anything.
Then send a real test: email yourself at a mailbox you control, open the message's full headers, and look for dkim=pass. Once you see it, DKIM is live for that provider, and you can repeat the process for your other sending tools. To see how your whole domain stands, SPF, DKIM, DMARC, MX and blacklists together, Sieve's free grade tool at sievemails.com/grade gives you an A to F report with fixes in seconds.
Where does your domain stand?
Grade your MX, SPF, DKIM, DMARC and blacklist status A to F in seconds. No signup needed.
Frequently asked questions
What is a DKIM selector?
A selector is a short label, like google or s1, that tells receiving servers where to find your public key in DNS. It becomes part of the lookup name, for example s1._domainkey.yourdomain.com. Selectors let one domain hold several DKIM keys at once, so each sending service can sign with its own key without conflicting with the others.
Do I need a separate DKIM record for each email service I use?
Yes. Each service that sends mail as your domain signs messages with its own private key, so each one needs its own public key published in your DNS under its own selector. Multiple DKIM records coexist happily, unlike SPF where you must have exactly one record.
How do I check whether DKIM is working?
Send an email from your domain to a mailbox you control, open the message's full headers (in Gmail, use Show original), and look for dkim=pass in the authentication results. If you see dkim=fail or no DKIM result at all, the DNS record is missing, mistyped, or has not finished propagating yet.