Back to Blog
DNS Security

DKIM Setup Guide: Step-by-Step Configuration for Your Domain

IntoDNS.AI TeamMarch 30, 2026

How to Set Up DKIM for Email Authentication

This comprehensive guide will walk you through the process of setting up DomainKeys Identified Mail (DKIM) for your domain. DKIM is a crucial email authentication method that helps protect your domain from email spoofing and improves your email deliverability. This guide is tailored for IT professionals and sysadmins, providing technical details, command examples, and step-by-step instructions.

What is DKIM?

DKIM allows the organizations sending an email to claim responsibility for a message in a way that can be verified by the message's recipient. It works by adding a digital signature to the email's header. This signature is generated using a private key held by the sender and can be verified by anyone using the corresponding public key, which is published in the domain's DNS records.

Why is DKIM Important?

  • Prevents Spoofing: DKIM helps prevent attackers from forging emails that appear to come from your domain.

  • Improves Deliverability: Email providers often favor authenticated emails, leading to better inbox placement.

  • Enhances Sender Reputation: Consistent use of DKIM strengthens your domain's reputation as a legitimate sender.

DKIM Setup: Step-by-Step

Step 1: Generate DKIM Keys

You need to generate a pair of cryptographic keys: a private key and a public key. The private key stays on your mail server and is used to sign outgoing emails. The public key is published in your DNS records.

You can use various tools to generate these keys. For example, using OpenSSL on a Linux server:

# Generate a private key
openssl genrsa -out private.key 2048

# Generate a public key from the private key
openssl rsa -pubout -in private.key -out public.key

Keep your private.key file secure and do not share it.

Step 2: Configure Your Mail Server to Sign Emails

This step varies depending on your mail server software (e.g., Postfix, Sendmail, Exim). You'll need to configure your server to use the private key to sign outgoing emails.

For Postfix, you might use a milter like OpenDKIM. After installing OpenDKIM, you would typically configure its settings in /etc/opendkim.conf and specify the location of your private key.

Example /etc/opendkim.conf snippet:

Domain                  example.com
KeyFile                 /etc/opendkim/keys/private.key
Selector                mail
Canonicalization        relaxed/simple
Mode                    sv

In this example:

  • Domain is your domain name.

  • KeyFile points to your private key.

  • Selector is a unique identifier for this key (e.g., 'mail', 'default', 'selector1'). You'll need this for your DNS record.

Step 3: Publish Your Public Key in DNS

The public key needs to be published as a TXT record in your domain's DNS zone. The record name (or host) will be selector._domainkey.yourdomain.com.

First, extract the public key from your public.key file. You'll need to format it correctly for the DNS TXT record.

cat public.key

The output will look something like this:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----

You need to remove the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines and any line breaks. Concatenate the remaining string.

Then, create a TXT record in your DNS management interface. For example, if your selector is mail and your domain is example.com, the record would be:

  • Type: TXT

  • Name/Host: mail._domainkey

  • Value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Note the quotes around the value. The v=DKIM1 indicates the DKIM version, k=rsa specifies the key type, and p=... is your public key string.

Step 4: Verify Your DKIM Setup

After publishing the DNS record, it can take some time for DNS propagation (usually a few minutes to a few hours). You can verify your setup using online tools.

Use the IntoDNS.ai email test tool to check if your DKIM record is correctly published and if your outgoing emails are being signed properly:

IntoDNS.ai Email Test

You can also check your domain's overall DNS health and verify DKIM records using our verified domains tool:

IntoDNS.ai Verified Domains

Enter your domain name and the selector you used (e.g., mail) to check the DKIM record's validity.

Troubleshooting Common Issues

  • DNS Propagation Delay: Ensure you wait long enough for DNS changes to propagate globally.

  • Incorrect DNS Record Format: Double-check the TXT record name (selector._domainkey) and the value format (v=DKIM1; k=rsa; p=...). Ensure no extra spaces or characters.

  • Mail Server Configuration: Verify that your mail server is correctly configured to use the private key and sign emails with the correct domain and selector.

  • Key Mismatch: Ensure the public key in DNS exactly matches the public key generated from your private key.

Conclusion

Implementing DKIM is a vital step in securing your email infrastructure and maintaining a positive sender reputation. By following this guide, you can successfully set up DKIM for your domain. Regularly check your email authentication status using tools like IntoDNS.ai to ensure ongoing protection and optimal email deliverability.

Share this article