How to enable DKIM and verify that your email is really signed

DKIM setup has two separate switches: a public key must exist in DNS, and the sending platform must actually sign outgoing messages with the matching private key. Many broken setups complete the DNS step and stop. This workflow verifies both configuration and real-world use.

Updated July 14, 2026

Step 1 — enable custom-domain DKIM at the sender

Open the authentication, sender-domain, or DNS settings in your email provider. Add or select your domain and request DKIM. The provider will either generate a key pair or ask you to provide a public key. Prefer provider-managed keys unless you operate the mail server yourself.

Repeat this inside every platform that sends as your domain. Your mailbox provider's DKIM configuration does not automatically sign messages from a marketing, support, or transactional service.

Step 2 — publish the selector record

Host:  selector1._domainkey.example.com
Type:  TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh...
Illustrative TXT form. Some providers supply one or more CNAME records instead.
  • Copy the host exactly, watching for DNS dashboards that append your domain automatically.
  • Publish the requested TXT or CNAME type; do not convert between them unless the provider documents it.
  • Do not add quotation marks unless your DNS interface requires them; most interfaces add storage-level quoting themselves.
  • Disable web proxying on mail-authentication DNS records when your DNS provider offers proxy modes.

Step 3 — wait for detection, then turn on signing

Use the DKIM checker with the supplied selector to confirm the public key resolves. Then return to the email platform and click its Start authentication, Enable signing, or Verify button. Some platforms enable signing automatically after verification; others leave it off until you explicitly start it.

Step 4 — test a real message and alignment

Send a fresh message through the platform to the inbox test. Confirm dkim=pass, then inspect the d= signing domain. It should match or be a subdomain of the visible From domain under normal relaxed DMARC alignment.

ResultMeaningNext action
No DKIM signatureThe sender did not signEnable signing in the platform or confirm this was the expected sending path
DKIM failA signature exists but did not verifyCheck selector DNS, key rotation, and message modification
DKIM pass, DMARC failThe signature is valid but not alignedConfigure custom-domain signing so d= aligns with From
DKIM pass, DMARC passThe signature is valid and alignedDocument the selector and monitor it

Step 5 — rotate keys without downtime

Create a new selector rather than overwriting the active key in place. Publish the new public key, wait until it resolves, switch the sender to the new private key, and keep the old public key available long enough for delayed or queued messages to arrive. Then retire the old selector.

If a signature suddenly fails, compare the message's s= selector with DNS, confirm the sender did not rotate without updating your zone, and check whether a gateway modified the body. The DKIM body hash guide covers that specific failure.

Sources and further reading

Common questions

Should I use a TXT or CNAME DKIM record?+

Use exactly what your provider supplies. TXT publishes the public key in your zone; CNAME delegates the selector to a provider-managed hostname.

What DKIM key size should I use?+

Use 2048-bit RSA where your provider and DNS host support it, or the modern algorithm supported by your provider. Avoid creating new 1024-bit keys unless a legacy limitation leaves no alternative.

How do I find my DKIM selector?+

It appears in the provider's setup instructions and in sent messages as the `s=` value inside the DKIM-Signature header.

Can two email platforms use DKIM at once?+

Yes. Give each platform its own selector. Multiple selector records are normal and avoid key collisions.