How to enable DKIM and verify that your email is really signed
DKIM setup has two separate switches: a public key must exist in DNS, and the sending platform must actually sign outgoing messages with the matching private key. Many broken setups complete the DNS step and stop. This workflow verifies both configuration and real-world use.
Updated July 14, 2026
Step 1 — enable custom-domain DKIM at the sender
Open the authentication, sender-domain, or DNS settings in your email provider. Add or select your domain and request DKIM. The provider will either generate a key pair or ask you to provide a public key. Prefer provider-managed keys unless you operate the mail server yourself.
Repeat this inside every platform that sends as your domain. Your mailbox provider's DKIM configuration does not automatically sign messages from a marketing, support, or transactional service.
Step 2 — publish the selector record
Host: selector1._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh...- Copy the host exactly, watching for DNS dashboards that append your domain automatically.
- Publish the requested TXT or CNAME type; do not convert between them unless the provider documents it.
- Do not add quotation marks unless your DNS interface requires them; most interfaces add storage-level quoting themselves.
- Disable web proxying on mail-authentication DNS records when your DNS provider offers proxy modes.
Step 3 — wait for detection, then turn on signing
Use the DKIM checker with the supplied selector to confirm the public key resolves. Then return to the email platform and click its Start authentication, Enable signing, or Verify button. Some platforms enable signing automatically after verification; others leave it off until you explicitly start it.
Step 4 — test a real message and alignment
Send a fresh message through the platform to the inbox test. Confirm dkim=pass, then inspect the d= signing domain. It should match or be a subdomain of the visible From domain under normal relaxed DMARC alignment.
| Result | Meaning | Next action |
|---|---|---|
| No DKIM signature | The sender did not sign | Enable signing in the platform or confirm this was the expected sending path |
| DKIM fail | A signature exists but did not verify | Check selector DNS, key rotation, and message modification |
| DKIM pass, DMARC fail | The signature is valid but not aligned | Configure custom-domain signing so d= aligns with From |
| DKIM pass, DMARC pass | The signature is valid and aligned | Document the selector and monitor it |
Step 5 — rotate keys without downtime
Create a new selector rather than overwriting the active key in place. Publish the new public key, wait until it resolves, switch the sender to the new private key, and keep the old public key available long enough for delayed or queued messages to arrive. Then retire the old selector.
If a signature suddenly fails, compare the message's s= selector with DNS, confirm the sender did not rotate without updating your zone, and check whether a gateway modified the body. The DKIM body hash guide covers that specific failure.
Sources and further reading
- RFC 6376 — DomainKeys Identified Mail (DKIM) — The definitive DKIM signing, selector, key, and verification specification.
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC) — The DMARC policy, alignment, reporting, and record-format specification.