DKIM Setup Guide: Step-by-Step Configuration

Setting up DKIM involves three steps: generate a key pair, configure your mail server to sign emails, and publish the public key in DNS. This guide walks through each step.

Before You Start

You'll need:

• DNS access for your domain (GoDaddy, Cloudflare, Namecheap, etc.)
• Mail server access or admin access to your email provider
• A selector name — a label for your key (e.g., default, mail, 2026q1)

Step 1: Generate Your DKIM Keys

Step 2: Add the DNS Record

Add your public key as a TXT record in your domain's DNS:

DNS Provider Examples

Cloudflare:

1. Go to DNS → Records → Add Record
2. Type: TXT, Name: selector._domainkey, Content: your record

GoDaddy:

1. Go to DNS Management → Add Record
2. Type: TXT, Host: selector._domainkey, Value: your record

Namecheap:

1. Go to Advanced DNS → Add New Record
2. Type: TXT, Host: selector._domainkey, Value: your record

Step 3: Configure Your Mail Server

How you install the private key depends on your email setup:

Google Workspace

1. Go to Admin Console → Apps → Google Workspace → Gmail
2. Click "Authenticate email" under your domain
3. Google generates keys automatically — use their process

Microsoft 365

1. Go to Microsoft Defender → Policies → Email authentication → DKIM
2. Select your domain
3. Enable DKIM signing (Microsoft provides keys)

Self-Hosted (Postfix + OpenDKIM)

# Install OpenDKIM
sudo apt install opendkim opendkim-tools

# Copy your private key
sudo cp mail.private /etc/opendkim/keys/yourdomain.com/
sudo chmod 600 /etc/opendkim/keys/yourdomain.com/mail.private

# Configure and restart
sudo systemctl restart opendkim
sudo systemctl restart postfix

Transactional Email Services

Most services (SendGrid, Mailgun, SES) have their own DKIM setup process in their dashboard. They typically provide DNS records for you to add.

Step 4: Verify Your Setup

After DNS propagation, verify everything is working:

Check DNS Record

dig TXT selector._domainkey.yourdomain.com +short

You should see your public key record.

Send a Test Email

Send an email to a Gmail account and check the headers:

1. Open the email in Gmail
2. Click the three dots → "Show original"
3. Look for dkim=pass in the Authentication-Results header

Authentication-Results: mx.google.com;
  dkim=pass header.d=yourdomain.com header.s=selector

Common Setup Mistakes

Wrong selector in DNS The DNS hostname must match your selector exactly. If your selector is mail, the record goes at mail._domainkey.yourdomain.com.

Private key permissions The private key file must be readable only by the mail server process. Use chmod 600 on Linux.

Forgetting the ._domainkey suffix The hostname is selector._domainkey, not just the selector name.

Testing before DNS propagation Wait at least 1-2 hours after adding the DNS record before testing.

Key mismatch Make sure the private key on your server and the public key in DNS are from the same key pair.

After Setup

Once DKIM is working:

1. Set up SPF — Authorize your sending servers
2. Set up DMARC — Add a policy that uses DKIM results
3. Monitor — Check DMARC reports for authentication failures
4. Plan rotation — Schedule regular key rotation (annually is common)

---

Ready to set up DKIM? Start by generating your keys.