Skip to main content
ShieldMarc
Resources/Guides
Guide

How to Set Up DKIM: Step-by-Step Guides for Every Email Provider

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send, allowing receiving servers to verify that the message was not altered in transit and genuinely came from your domain. Without DKIM, your emails are more likely to be flagged as spam or rejected entirely.

March 2026 · 14 min read

Before you start

Before setting up DKIM for any provider, make sure you have:

  • DNS access.You need the ability to add TXT or CNAME records in your domain's DNS zone. This is usually managed through your domain registrar (such as Cloudflare, GoDaddy, or Namecheap) or your hosting provider's control panel.
  • Admin access to your email provider. Each provider generates or provides the DKIM key through its admin console. You will need an administrator account to access these settings.

If you are new to email authentication, read our guide on SPF vs DKIM vs DMARC first to understand how these protocols work together.

Google Workspace

Selectorgoogle (or google2048 for 2048-bit)
Record typeTXT
  1. Open the Google Admin console and navigate to Apps > Google Workspace > Gmail > Authenticate email.
  2. Select your domain.
  3. Click Generate new record.
  4. Choose 2048-bit key length (recommended).
  5. Copy the generated public key value.
  6. Log in to your DNS provider and add a TXT record at google._domainkey.yourdomain.com.
  7. Return to the Google Admin console and click Start authentication.

DNS record example:

Host: google._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...
Note: Google generates the key pair for you. You only need to publish the public key in DNS. The private key is managed entirely by Google.

Microsoft 365

Selectorsselector1, selector2
Record typeCNAME (not TXT)
  1. Go to Microsoft 365 Defender at security.microsoft.com.
  2. Navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM.
  3. Select your domain.
  4. Add the two CNAME records shown below in your DNS.
  5. Return to the portal and click Enable.

DNS record examples:

Host: selector1._domainkey.yourdomain.com
Type: CNAME
Value: selector1-yourdomain-com._domainkey.youronmicrosoftdomain.onmicrosoft.com

Host: selector2._domainkey.yourdomain.com
Type: CNAME
Value: selector2-yourdomain-com._domainkey.youronmicrosoftdomain.onmicrosoft.com
Note: Microsoft 365 requires two CNAME records. Microsoft manages key rotation automatically via CNAME delegation, so you never need to update these records manually once they are in place.

Zoho Mail

Selectorzmail
Record typeTXT
  1. Log in to the Zoho Mail Admin console at mailadmin.zoho.com.
  2. Navigate to Domains > Email configuration > DKIM.
  3. Click Add and set the selector name.
  4. Copy the generated public key value.
  5. Add a TXT record in your DNS at zmail._domainkey.yourdomain.com.
  6. Return to Zoho and click Verify.
Host: zmail._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

Mailchimp

Selectorsk1, k2
Record typeCNAME
  1. Go to Account > Domains.
  2. Click Authenticate next to your domain.
  3. Mailchimp will display two CNAME records to add to your DNS.
  4. Add both CNAME records in your DNS provider.
  5. Return to Mailchimp and click Verify.
Host: k1._domainkey.yourdomain.com
Type: CNAME
Value: dkim.mcsv.net

Host: k2._domainkey.yourdomain.com
Type: CNAME
Value: dkim2.mcsv.net

SendGrid

Selectorss1, s2
Record typeCNAME
  1. Log in to SendGrid and go to Settings > Sender Authentication.
  2. Click Authenticate Your Domain.
  3. Follow the wizard to select your DNS host and enter your domain.
  4. SendGrid will provide two CNAME records to add to your DNS.
  5. Add both CNAME records in your DNS provider.
  6. Return to SendGrid and click Verify.
Host: s1._domainkey.yourdomain.com
Type: CNAME
Value: s1.domainkey.u12345.wl.sendgrid.net

Host: s2._domainkey.yourdomain.com
Type: CNAME
Value: s2.domainkey.u12345.wl.sendgrid.net
Tip: The exact CNAME values will be unique to your SendGrid account. Always copy them directly from the SendGrid wizard rather than using the example values above.

HubSpot

Selectorshs1, hs2
Record typeCNAME
  1. In HubSpot, go to Settings > Marketing > Email > Configuration.
  2. Click Connect a sending domain.
  3. Enter your domain name.
  4. HubSpot will display two CNAME records to add to your DNS.
  5. Add both CNAME records in your DNS provider.
  6. Return to HubSpot and click Verify.
Host: hs1._domainkey.yourdomain.com
Type: CNAME
Value: yourdomain-com.hs01a.dkim.hubspot.net

Host: hs2._domainkey.yourdomain.com
Type: CNAME
Value: yourdomain-com.hs01b.dkim.hubspot.net

Amazon SES

SelectorsThree auto-generated selectors
Record typeCNAME (Easy DKIM)
  1. Open the Amazon SES console and navigate to Identities.
  2. Select your domain (or add a new one).
  3. Under Authentication, enable Easy DKIM and select RSA 2048-bit.
  4. SES will generate three CNAME records.
  5. Add all three CNAME records to your DNS.
  6. SES will auto-detect the records and begin signing emails.
Host: abcdef1234._domainkey.yourdomain.com
Type: CNAME
Value: abcdef1234.dkim.amazonses.com

Host: ghijkl5678._domainkey.yourdomain.com
Type: CNAME
Value: ghijkl5678.dkim.amazonses.com

Host: mnopqr9012._domainkey.yourdomain.com
Type: CNAME
Value: mnopqr9012.dkim.amazonses.com
Note: If a third-party app sends email via SES (many SaaS tools use SES under the hood), configure DKIM in that app's settings instead. The app should provide its own DKIM records to publish.

Postmark

Selectorpm
Record typeTXT
  1. In Postmark, go to Sender Signatures and select your domain.
  2. Copy the DKIM TXT record value provided.
  3. Add the TXT record to your DNS at pm._domainkey.yourdomain.com.
  4. Return to Postmark and click Verify.
Host: pm._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...

Mailgun

Selectormailgun
Record typeTXT
  1. Log in to Mailgun and go to Sending > Domain Settings.
  2. Select your domain.
  3. Copy the DKIM record value displayed on the page.
  4. Add the TXT record to your DNS at mailgun._domainkey.yourdomain.com.
  5. Return to Mailgun and click Verify DNS Settings.
Host: mailgun._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

Brevo (Sendinblue)

Selectorbrevo
Record typeTXT
  1. In Brevo, go to Senders & Domains > Domains.
  2. Click Add a domain and enter your domain name.
  3. Copy the DKIM TXT record value provided.
  4. Add the TXT record to your DNS at brevo._domainkey.yourdomain.com.
  5. Return to Brevo and click Authenticate.
Host: brevo._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

How to verify DKIM is working

After publishing your DKIM record, you should verify it is working correctly. Here are two reliable methods:

  1. Use our DMARC Checker. Enter your domain in the DMARC Checker to confirm that a valid DKIM record exists and is correctly formatted. The tool checks your DNS for known selectors and reports any issues.
  2. Send a test email and inspect the headers. Send an email from your domain to a Gmail or Outlook account. Open the message, view the full headers, and look for dkim=pass in the Authentication-Results header. If you see dkim=fail or no DKIM result at all, check the troubleshooting section below.

You can also use our DKIM Generator to look up an existing DKIM record by selector and domain, which helps confirm the record is published and reachable.

Common DKIM issues and fixes

  • DKIM record not found after publishing. DNS changes can take up to 48 hours to propagate. If your provider shows the record is not detected, wait and try again. You can reduce wait time by lowering the TTL before making changes.
  • Selector mismatch. If the selector name in your DNS does not match the one your provider uses when signing, receiving servers will not find the public key. Double-check the exact selector name (for example, google for Google Workspace, selector1 for Microsoft 365).
  • Key too long for a single TXT record. Some DNS providers have a 255-character limit per string within a TXT record. If your 2048-bit key exceeds this, you may need to split the value into multiple quoted strings. Most modern DNS providers handle this automatically, but if your record fails validation, check whether your provider requires manual splitting.
  • Testing mode still enabled (t=y). Some providers publish the DKIM record with t=y initially, which indicates testing mode. While most receivers will still validate the signature, some may treat it differently. Remove the t=y flag once you have confirmed DKIM is passing in production.
  • Weak 1024-bit key. While 1024-bit keys still work, they are considered weak by modern standards. If your provider supports it, upgrade to a 2048-bit key for stronger security. Google Workspace, Amazon SES, and most major providers support 2048-bit keys.

Frequently asked questions

Do I need DKIM if I already have SPF?

Yes. SPF and DKIM serve different purposes. SPF validates the sending server's IP address, while DKIM verifies the message content has not been tampered with. DMARC requires at least one of them to pass with alignment, but having both provides stronger protection, especially for forwarded emails where SPF often breaks.

Can I have multiple DKIM selectors?

Yes. In fact, most organisations have multiple DKIM selectors because each email provider uses its own. For example, you might have google for Google Workspace, s1 for SendGrid, and k1 for Mailchimp, all on the same domain. Each selector is independent.

How often should I rotate DKIM keys?

Best practice is to rotate DKIM keys every six to twelve months. Some providers (like Microsoft 365 with CNAME delegation) handle rotation automatically. For providers that use TXT records, you will need to generate a new key pair and update the DNS record manually. Always ensure the new record is propagated before disabling the old key.

What is the difference between CNAME and TXT DKIM records?

Both methods achieve the same goal of publishing a DKIM public key in DNS. A TXT record contains the key directly, while a CNAME record points to the provider's DNS where the key is hosted. CNAME delegation is common with providers like Microsoft 365, SendGrid, and Mailchimp because it allows the provider to manage key rotation without you needing to update your DNS.

Does DKIM work with subdomains?

Yes. DKIM is tied to the specific domain or subdomain used in the d= tag of the signature. If your provider signs with d=mail.yourdomain.com, the DKIM record must be published under that subdomain (for example, selector._domainkey.mail.yourdomain.com). With relaxed DMARC alignment, a DKIM signature on a subdomain can still align with the parent domain.

Related tools

  • DKIM Generator - Build and validate DKIM DNS records for any provider.
  • DMARC Checker - Verify your domain's SPF, DKIM, and DMARC records in one scan.
  • DNS Lookup - Query your domain's TXT records to confirm DKIM selectors are published.
  • Email Header Analyser - Paste a test email's headers to verify DKIM signing is passing end-to-end.

Related guides

Need ongoing DKIM monitoring?

Publishing a DKIM record is only the first step. Keys can expire, selectors can be misconfigured, and new sending services can be added without proper DKIM setup. ShieldMarc continuously monitors your DKIM records alongside SPF and DMARC, and alerts you when something needs attention. Create a free account and start monitoring your first domain in under two minutes.