DKIM Setup Guide: Authenticate Your Emails in 5 Steps

Published April 2026 · DNS Record Fixer

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a cryptographic digital signature to every email you send. This signature proves the email genuinely came from your domain and hasn't been tampered with in transit. Without DKIM, inbox providers like Gmail and Outlook have no cryptographic way to verify your emails are legitimate.

Why DKIM Is Essential

SPF tells receiving servers which IP addresses are allowed to send from your domain. DKIM goes further — it cryptographically signs each email so the receiving server can verify the content hasn't changed and the email genuinely originated from your mail system. Together with DMARC, DKIM is required for full email authentication compliance.

How DKIM Works

Your mail server generates a public/private key pair. The private key stays on your mail server and is used to sign outgoing emails. The public key is published as a DNS TXT record under a 'selector' subdomain. When a receiving server gets an email, it looks up the public key in DNS and uses it to verify the signature. If the signature checks out, DKIM passes.

Step 1: Get Your DKIM Keys from Your Email Provider

The method varies by provider. In Google Workspace: Admin Console → Apps → Gmail → Authenticate Email → Generate new record. In Microsoft 365: Admin Center → Settings → Domains → your domain → manage DNS → DKIM. For Mailchimp, Mailgun, SendGrid and similar services, the DKIM keys are generated in your account settings under domain authentication.

Step 2: Publish the DKIM Public Key in DNS

Your email provider will give you a TXT record to add to your DNS. It will look something like: selector._domainkey.yourdomain.com with a value starting 'v=DKIM1; k=rsa; p=...'. Add this exactly as provided to your DNS zone. The 'selector' is a label (often 'google', 'selector1' or 'dkim') that tells the receiving server which key to use.

Step 3: Wait for DNS Propagation

DNS changes can take anywhere from a few minutes to 48 hours to propagate globally. With a low TTL (300 seconds or less), most changes take effect within 5–10 minutes. You can check propagation at dnschecker.org.

Step 4: Enable DKIM Signing in Your Mail System

Publishing the DNS record is only half the job. You also need to enable DKIM signing in your email platform. In Google Workspace, go back to the DKIM setup page and click 'Start Authentication'. In Microsoft 365, toggle DKIM signing to 'Enabled' for your domain.

Step 5: Verify DKIM Is Working

Send a test email to a Gmail account and view the original message (three dots → Show Original). Look for 'dkim=pass' in the authentication results. You can also use our free DNS scanner — it tries 13 common DKIM selectors and shows whether DKIM is present and passing.

If your DKIM setup is failing or you're unsure which selector your provider uses, our Quick Fix plan resolves DKIM issues within 24 hours. We check your specific email platform setup and get the keys published and verified correctly.

Need Help Implementing This?

Our UK-based experts can handle every fix for you. Fast turnaround, plain English report.

Book a Fix — From £49