How to Set Up DKIM for Your Domain (Step-by-Step Guide)

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to every email your domain sends. Receiving servers use this signature to verify that the email genuinely came from you and wasn't altered in transit. Setting it up is one of the single most effective things you can do to improve email deliverability.

Why DKIM Matters

• Stops spoofing: Without DKIM, anyone can forge your email address in the From header
• Improves inbox placement: Gmail, Outlook, and Yahoo actively favour DKIM-signed emails
• Required for DMARC: DMARC alignment checks depend on DKIM passing
• Required by Gmail/Yahoo (2024+): Bulk senders must have DKIM or mail gets rejected

How DKIM Works (Simply Explained)

1. Your mail server generates a pair of cryptographic keys: a private key (kept secret on the server) and a public key (published in your DNS)
2. When you send an email, the server signs it with the private key
3. The receiving server looks up your public key in DNS and uses it to verify the signature
4. If the signature is valid, the email passes DKIM — proving it came from your server unchanged

How to Set Up DKIM for Google Workspace

1. Go to admin.google.com and sign in as an administrator
2. Navigate to Apps → Google Workspace → Gmail → Authenticate email
3. Select your domain and click Generate new record
4. Choose a DKIM key length — 2048 bits is recommended
5. Copy the TXT record value shown (it will look like a long string starting with v=DKIM1; k=rsa; p=...)
6. In your DNS manager, add a new TXT record:
   • Host/Name: google._domainkey
   • Type: TXT
   • Value: The string you copied
7. Wait 30–60 minutes for DNS propagation
8. Return to the Google Admin Console and click Start authentication

How to Set Up DKIM for Microsoft 365

1. Go to security.microsoft.com
2. Navigate to Email & collaboration → Policies & rules → Threat policies → Email authentication settings
3. Click the DKIM tab and select your domain
4. Click Create DKIM keys — Microsoft will show you two CNAME records to add
5. Add both CNAME records to your DNS:
   • selector1._domainkey.yourdomain.com → points to Microsoft's server
   • selector2._domainkey.yourdomain.com → points to Microsoft's server
6. After DNS propagation (up to 48 hours), return and toggle Sign messages for this domain with DKIM signatures to ON

How to Set Up DKIM in cPanel

1. Log into your cPanel
2. Go to Email → Email Deliverability
3. Find your domain in the list
4. If DKIM shows a warning, click Repair — cPanel will automatically generate and install the DKIM record
5. Click Install the suggested record to add it to your DNS

If your DNS is managed outside cPanel (e.g., Cloudflare), you'll need to copy the TXT record and add it manually in your external DNS provider.

How to Verify Your DKIM Is Working

After adding the DNS record and waiting for propagation:

• mxtoolbox.com/dkim.aspx — Enter your domain and DKIM selector (e.g. google or selector1) to test the record
• Send a test email to a Gmail account — open the email, click the three dots → "Show original" → look for dkim=pass in the authentication results
• mail-tester.com — Send an email to the given address and get a full deliverability report including DKIM status

Common DKIM Setup Mistakes

• Wrong selector name: The part before ._domainkey must match exactly what your provider specifies (e.g. google, selector1, default)
• DNS not propagated yet: Wait at least 30–60 minutes before testing. Changes can take up to 48 hours
• Record split incorrectly: Some DNS providers split long TXT records — ensure the full value is preserved as one record
• Forgetting to enable signing: After adding the DNS record, you must also enable DKIM signing in your email provider's control panel