high5 min readLast updated May 22, 2026

How to Set Up DKIM for Your Domain

DKIM prevents email spoofing by adding a cryptographic signature to outgoing emails. Step-by-step setup guide for common email providers.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to every outgoing email. Receiving mail servers use this signature to verify that the email genuinely came from your domain and has not been tampered with in transit.

DKIM is one of three email authentication standards every domain should have configured, together with SPF and DMARC.

Why does it matter?

Without DKIM:

  • Anyone can send emails that appear to come from your domain
  • Your legitimate emails are more likely to be marked as spam
  • You cannot fully implement DMARC (which requires DKIM or SPF alignment)
  • ISO 27001 and NIS2 auditors will flag it as a missing control

How DKIM works

  1. Your mail server signs each outgoing email with a private key
  2. You publish the corresponding public key as a DNS TXT record
  3. Receiving mail servers look up your public key and verify the signature
  4. If the signature is valid, the email is trusted

How to set up DKIM

Step 1: Generate a DKIM key pair

Most email providers generate the key pair for you. Log in to your email provider and look for DKIM settings under:

  • Hostinger: Email → Manage → DNS / Email Authentication
  • Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email
  • Microsoft 365: Admin Center → Settings → Domains → select domain → DNS records
  • Mailchimp / SendGrid / others: Settings → Sending Domains → Authenticate

Step 2: Add the DNS TXT record

Your provider will give you a TXT record like:

Name:   selector._domainkey.yourdomain.com
Type:   TXT
Value:  v=DKIM1; k=rsa; p=MIGfMA0GCSq...

Add this record in your DNS provider (Cloudflare, Route 53, your registrar, etc.).

Step 3: Wait for DNS propagation

DNS changes can take up to 48 hours to propagate, though usually much faster (under an hour).

Step 4: Verify DKIM is working

Use a free tool like MXToolbox DKIM Lookup to verify the record is published correctly.

You can also send a test email to mail-tester.com which checks DKIM, SPF, and DMARC together.

Common issues

Multiple DKIM records for the same selector

You can only have one TXT record per selector. If you need DKIM for multiple services (your mail server plus a newsletter tool), each service gets a different selector name.

DKIM record too long

Some DNS providers struggle with long TXT records. If you get errors, split the record into two quoted strings.

Private key mismatch

If you regenerate the key pair on your mail server, you must also update the DNS TXT record. Mismatched keys cause DKIM failures.

What to do next

Once DKIM is working, complete your email security setup:

  1. Configure SPF (Sender Policy Framework) -- tells servers which IPs can send for your domain
  2. Configure DMARC -- defines what receivers should do with emails that fail authentication

All three together provide the strongest protection against email spoofing.

How SurfaceScan helps

SurfaceScan checks DKIM configuration for every root domain in your scope on every scan. If DKIM is missing or misconfigured, it appears as a finding in the Email Security section with the specific domain and recommended fix.

Related articles

DMARC Policy: From None to Quarantine to Reject

DMARC ties SPF and DKIM together. Learn the three policy levels (none, quarantine, reject) and how to implement DMARC safely without breaking email.

SPF Records: What They Are and How to Fix Them

SPF tells receiving mail servers which servers are allowed to send email for your domain. Learn softfail vs hardfail and fix common SPF mistakes.

← Back to Help Center