D
DKIM Creator

DKIM for Transactional Email: Provider Setup Guide

Configure DKIM for transactional email services. Setup guides for SendGrid, Mailgun, Postmark, Amazon SES, and other API-based email providers.

Last updated: 2026-02-04

Transactional email providers send your password resets, order confirmations, and notifications. Proper DKIM setup ensures these critical emails reach inboxes reliably.

Most transactional email services provide their own DKIM keys. Use DKIM Creator when you need custom keys, multiple domains, or specific security requirements.

Why DKIM Matters for Transactional Email

Transactional emails are time-sensitive. A password reset that lands in spam is worse than no email at all.

DKIM authentication:

  • Improves inbox placement rates
  • Builds sender reputation over time
  • Enables DMARC enforcement
  • Prevents spoofing of your transactional emails

Provider-Specific Setup

Amazon SES

Amazon SES supports two DKIM approaches:

Easy DKIM (Recommended)

SES generates and manages keys via CNAME records:

  1. Open the SES console
  2. Go to Verified Identities → Your Domain
  3. Click "Enable DKIM" under Authentication
  4. Add the three CNAME records SES provides

Bring Your Own DKIM (BYODKIM)

For custom keys generated with DKIM Creator:

  1. Generate a 2048-bit key pair
  2. In SES console, choose "Provide DKIM authentication token"
  3. Enter your selector and private key
  4. Add the public key TXT record to DNS
# AWS CLI example
aws ses put-email-identity-dkim-signing-attributes \
  --email-identity yourdomain.com \
  --signing-attributes-origin EXTERNAL \
  --signing-attributes DomainSigningSelector=custom,DomainSigningPrivateKey=...

SendGrid

SendGrid uses automated DKIM with CNAME records, but supports custom configurations.

Standard Setup:

  1. Go to Settings → Sender Authentication
  2. Click "Authenticate Your Domain"
  3. Follow the wizard to add CNAME records

Custom Domain Keys:

FieldValue
Host`s1._domainkey`
TypeCNAME
Value`s1.domainkey.uXXXX.wl.sendgrid.net`

Repeat for s2._domainkey.

SendGrid's automated setup works well for most cases. Use DKIM Creator when you need keys for domains not managed through SendGrid's interface.

Mailgun

Mailgun automatically configures DKIM when you verify a domain:

  1. Add your domain in the Mailgun dashboard
  2. Mailgun provides DNS records including DKIM
  3. Add the TXT record at the specified hostname

Default selector: Mailgun uses selectors like k1._domainkey

Custom keys: Mailgun doesn't support BYODKIM—use their generated keys.

Postmark

Postmark generates DKIM keys when you add a Sender Signature:

  1. Go to Sender Signatures → Add Domain
  2. Postmark shows the required DNS records
  3. Add the DKIM TXT record

Selector format: Postmark uses date-based selectors like 20221107._domainkey

Mailjet

Mailjet provides DKIM keys during domain verification:

  1. Go to Account Settings → Senders & Domains
  2. Click "Validate" next to your domain
  3. Add the TXT record Mailjet provides

Selector: mailjet._domainkey

SparkPost

SparkPost uses DKIM by default for verified domains:

  1. Navigate to Sending Domains
  2. Click "Add Domain"
  3. Follow the verification process
  4. Add the provided TXT record

Selector: sparkpostmail._domainkey or custom

Need custom DKIM keys?

Generate keys for domains or services that don't auto-configure DKIM.

Generate DKIM Keys

Multiple Transactional Services

If you use multiple services (e.g., SES for bulk, Postmark for critical), each needs its own DKIM selector:

ServiceSelector ExamplePurpose
Amazon SES`amazonses`Bulk notifications
Postmark`20221107`Password resets
SendGrid`s1`, `s2`Marketing

All selectors can coexist—receivers check the selector specified in each email's signature.

Verifying Your Setup

After configuring DNS records:

Check DNS propagation:

dig TXT selector._domainkey.yourdomain.com

Send a test email: Most providers have test email features. Alternatively, send to:

  • Gmail (check "Show Original" for headers)
  • mail-tester.com for detailed analysis

Look for in headers:

Authentication-Results: dkim=pass header.d=yourdomain.com

Troubleshooting

Emails still going to spam

  • DKIM alone doesn't guarantee inbox placement
  • Check SPF and DMARC are also configured
  • Review bounce messages for specific rejections
  • Warm up new sending domains gradually

DKIM signature not present

  • Verify domain is verified in the service dashboard
  • Check that DKIM signing is enabled (some services have toggles)
  • Confirm you're sending from the verified domain

"Public key not found" errors

  • DNS propagation may not be complete
  • Verify the selector matches what the service expects
  • Check for typos in the DNS record value

Best Practices

  1. Use the provider's keys when available — They handle rotation automatically
  2. Verify both sending and bounce domains — Some providers require both
  3. Monitor DMARC reports — They reveal authentication failures you might miss
  4. Document your selectors — Track which service uses which selector

Related Articles

Using a transactional email service without built-in DKIM? Generate your own keys.

Generate DKIM keys

Create key pairs for services that don't auto-configure DKIM. Free and browser-based.

Generate DKIM Keys