D
DKIM Creator

DKIM for Cloudflare DNS: Setup Guide

How to add DKIM records in Cloudflare's DNS dashboard. Covers TXT record creation, proxy vs DNS-only settings, long record handling, and Cloudflare Email Routing considerations.

Last updated: 2026-02-06

Cloudflare is widely used for DNS management, CDN, and security. If your domain's DNS is managed by Cloudflare, you'll add DKIM records through Cloudflare's dashboard. This guide covers the setup, including Cloudflare-specific details like proxy settings and Email Routing.

DKIM records are TXT (or sometimes CNAME) records in DNS. Cloudflare handles these well, but there's one critical rule: DKIM records must be DNS-only, never proxied.

Before You Start

You'll need:

  • A Cloudflare account with your domain added
  • Your domain's DNS managed by Cloudflare (nameservers pointing to Cloudflare)
  • The DKIM public key from your email provider or generated with DKIM Creator
  • The selector name your provider assigned

Adding a DKIM TXT Record in Cloudflare

1

Log in to Cloudflare

Go to dash.cloudflare.com and sign in. Select the domain you want to configure.

2

Open DNS settings

Click "DNS" in the left sidebar, then select "Records." This shows all your current DNS records.

3

Add a new record

Click "Add record." Select "TXT" as the record type.

4

Enter the Name field

Enter your selector followed by ._domainkey. For example:

  • google._domainkey for Google Workspace
  • s1._domainkey for SendGrid
  • selector1._domainkey for Microsoft 365 (though M365 uses CNAME)

Cloudflare auto-appends your domain, so don't include it.

5

Enter the Content

Paste the full DKIM record value. This starts with v=DKIM1; k=rsa; p= followed by the base64-encoded public key.

6

Set the TTL

Set to "Auto" (default) or a specific value like 1 hour. Auto typically resolves to 5 minutes for paid plans or 5 minutes to 1 hour for free plans.

7

Save the record

Click "Save." The record is added immediately to Cloudflare's DNS.

Cloudflare DNS Record Format

Your DKIM TXT record should look like this in the dashboard:

FieldValue
TypeTXT
Name`selector._domainkey`
Content`v=DKIM1; k=rsa; p=MIIBIjANBgkq...`
TTLAuto

Proxy vs. DNS-Only: Critical for DKIM

DKIM records must use "DNS only" mode (gray cloud icon). Never proxy DKIM records through Cloudflare. TXT records can't be proxied by default, so this mainly applies if you're adding CNAME-based DKIM records.

Cloudflare's proxy (orange cloud) is for HTTP/HTTPS traffic. DNS records used for email authentication must bypass the proxy:

  • TXT records: Can't be proxied. You're safe by default.
  • CNAME records (used by Microsoft 365, Mailchimp, etc.): Make sure the proxy toggle is set to "DNS only" (gray cloud). If proxied, the CNAME won't resolve correctly and DKIM will fail.

To check: Look at the Proxy status column in your DNS records. DKIM-related records should show a gray cloud, not an orange cloud.

Adding CNAME-Based DKIM Records

Some providers use CNAME records for DKIM. In Cloudflare:

1

Add a CNAME record

Click "Add record" and select "CNAME" as the type.

2

Enter the Name

Enter the selector hostname (e.g., selector1._domainkey for Microsoft 365).

3

Enter the Target

Paste the CNAME target from your email provider.

4

Disable the proxy

Make sure the Proxy status is set to "DNS only" (gray cloud). Click the orange cloud icon to toggle it off if needed.

5

Save

Click "Save." The record is active immediately.

Generate DKIM keys for Cloudflare

Create DKIM key pairs and get the exact TXT record to add in Cloudflare's DNS dashboard.

Generate DKIM Keys

Handling Long TXT Records

2048-bit DKIM keys produce long TXT record values. Cloudflare handles this well:

  • No character limit issues: Cloudflare supports TXT records up to 2048 characters
  • Automatic splitting: If the value exceeds 255 characters (the DNS protocol limit per string), Cloudflare splits it into multiple strings automatically
  • Paste as one line: Enter the full value as a single string. Don't manually split it or add quotation marks.

If you see the value displayed with quotes in the dashboard (e.g., "v=DKIM1..." "...rest of key"), that's normal. Cloudflare is showing the underlying DNS format. It resolves correctly.

Pro tip

Cloudflare's DNS propagation is fast, typically under 5 minutes globally. You don't usually need to wait hours like with some other providers.

Cloudflare Email Routing and DKIM

Cloudflare Email Routing lets you forward emails from your domain to another inbox (like Gmail or Outlook). Here's how DKIM interacts with it:

Incoming Email

When Cloudflare Email Routing forwards incoming email to your destination inbox:

  • The original DKIM signature from the sender may break during forwarding (this is normal for forwarded email)
  • Cloudflare adds its own headers but doesn't re-sign with DKIM
  • ARC (Authenticated Received Chain) headers help preserve the authentication chain

Outgoing Email

Cloudflare Email Routing is primarily for receiving, not sending. If you need to send email from your domain:

  • Use an email service (Google Workspace, Microsoft 365, Fastmail, etc.) for sending
  • Configure DKIM through that sending service
  • Add the DKIM DNS records in Cloudflare as described above

DKIM Records for Email Routing

If you use Cloudflare Email Routing alongside a sending service:

  1. Add the DKIM records for your sending service (e.g., Google Workspace's google._domainkey TXT record)
  2. The Email Routing MX records and your DKIM records coexist without conflict
  3. DKIM only applies to outgoing email, so it doesn't affect Email Routing's forwarding

Verifying Your DKIM Record

1

Check in Cloudflare

The record should appear immediately in the DNS Records list after saving.

2

Verify with a DNS lookup

Cloudflare propagates fast. Check within minutes:

dig TXT selector._domainkey.yourdomain.com +short

You should see your DKIM value in the response.

3

Activate in your email provider

If your email provider requires activation (Google Workspace, Salesforce, etc.), return to their settings and enable DKIM signing.

4

Send a test email

Send an email to a Gmail address. Open it, click the three-dot menu, select "Show original," and check for dkim=pass.

Common Cloudflare DKIM Issues

CNAME record is proxied (orange cloud)

  • DKIM CNAME records must be DNS-only. Click the orange cloud to toggle to gray cloud (DNS only).
  • TXT records can't be proxied, so this only affects CNAME-based DKIM setups.

Record not resolving

  • Check that the Name field doesn't include your domain (Cloudflare appends it).
  • Verify the record exists with dig or an online DNS tool.
  • If you recently changed nameservers to Cloudflare, wait for nameserver propagation (up to 24 hours) before DNS records work.

Value looks split in the dashboard

  • Long TXT values showing with quotes and splits is normal. This is how DNS stores values longer than 255 characters.
  • The record resolves correctly despite the visual formatting.

Conflicting with Cloudflare Email Routing records

  • DKIM TXT records and Email Routing MX records don't conflict. They serve different purposes.
  • You can use both simultaneously.

Multiple DKIM Records in Cloudflare

Add as many DKIM records as you need for different email services:

ServiceNameType
Google Workspace`google._domainkey`TXT
Microsoft 365`selector1._domainkey`CNAME (DNS only)
Microsoft 365`selector2._domainkey`CNAME (DNS only)
SendGrid`s1._domainkey`CNAME (DNS only)
Mailgun`smtp._domainkey`TXT

Each record uses a unique selector, so there's no conflict.

Related Articles

DKIM Creator generates keys you can add to Cloudflare DNS in minutes.

Generate DKIM keys for Cloudflare

Create DKIM key pairs and get the exact TXT record for Cloudflare's DNS dashboard. Free and instant.

Generate DKIM Keys