DKIM Setup
DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that email messages were sent by authorized servers and haven't been modified in transit. Proper DKIM configuration is essential for DMARC compliance and email deliverability.
What is DKIM?
DKIM is an email authentication method that adds a digital signature to outgoing messages. The sending server signs the message with a private key, and the signature is included in the email headers. Receiving servers use the public key (published in your DNS) to verify the signature.
This proves the message came from an authorized server and wasn't altered after signing. Unlike SPF, which only checks the sending server IP, DKIM cryptographically ties the message content to your domain.
How DKIM Works
- Key Generation: Create a public/private key pair for your domain
- DNS Publication: Publish the public key as a TXT record in your DNS
- Message Signing: Your mail server signs outgoing messages with the private key
- Verification: Receiving servers retrieve the public key from DNS and verify the signature
- Result: DKIM passes if the signature is valid and the keys match
DKIM Alignment for DMARC
For DMARC to pass via DKIM, the domain in the DKIM signature (the d= value) must align with the domain in the visible From header. Like SPF, DKIM alignment can be:
- Strict: Exact domain match required
- Relaxed: Organizational domain match allowed (subdomains count)
DKIM alignment is often more reliable than SPF alignment because you control the signing domain. Third-party services like Mailchimp or SendGrid can sign with your domain if you configure custom DKIM keys.
This is why proper DKIM setup is critical — even if SPF alignment fails due to Return-Path issues, DKIM alignment can ensure DMARC passes.
Setting Up DKIM
The setup process varies by email provider, but generally follows these steps:
- Generate keys in your email service's admin console
- Copy the DNS record provided by your service (usually a CNAME or TXT record)
- Add the record to your domain's DNS
- Wait for DNS propagation (can take up to 48 hours)
- Verify the setup in your email service and test by sending messages
DKIM Record Format
DKIM public keys are published as TXT records at a specific selector subdomain:
selector._domainkey.example.com
The selector (like "google" or "s1") identifies which key to use. Organizations can have multiple selectors for different sending services.
Example DKIM record value:v=DKIM1; k=rsa; p=MIGfMA0GCSq...
Common DKIM Failures
- DNS record not found: Record not published or wrong selector name
- Key mismatch: DNS has old or wrong public key
- Signature expired: DKIM signatures have expiration times
- Body hash mismatch: Message was modified after signing (often by forwarding or mailing lists)
- Third-party signing with their domain: Service signs with their domain, not yours, causing alignment failure
Troubleshooting DKIM
- Verify DNS records: Use dig or online tools to confirm the record is published correctly
- Check selector names: Ensure the selector in DNS matches what the service is using
- Test with email tools: Send test messages and check headers for DKIM results
- Review DMARC reports: Reports show DKIM pass/fail rates per sending source
- Contact your provider: They may need to enable custom DKIM signing
DKIM for Common Services
Google Workspace
Google provides DKIM keys in the Admin Console under Apps > Google Workspace > Gmail > Authenticate email. Generate a key and add the provided TXT record to your DNS.
Microsoft 365
Microsoft creates DKIM keys automatically but requires you to publish CNAME records pointing to their DKIM infrastructure. Enable custom DKIM in the Defender portal.
Third-Party ESPs
Services like Mailchimp, SendGrid, and Postmark offer custom DKIM. Look for "Domain Authentication" or "Sender Authentication" in their settings to get the required DNS records.
Need help configuring DKIM?
CCMS provides expert support for DKIM setup across all major email platforms and third-party services.