How do I set up DKIM?

DKIM (DomainKeys Identified Mail, RFC 6376) adds a cryptographic signature to every message you send. Your sending server signs selected headers and the body with a private key; receivers fetch the matching public key from your DNS and verify the signature was not tampered with. Setting it up is three concrete steps: get a key pair, publish the public half in DNS, and switch on signing.

Step 1: Get a DKIM key pair

You have two paths, and which one you use depends on who sends your mail.

If you send through an email provider or ESP (Google Workspace, Microsoft 365, SendGrid, Mailgun, Amazon SES, Mailchimp, Zendesk, and similar), the provider generates the key for you. You enable DKIM in their admin console and they hand you the exact DNS record (sometimes a TXT record, sometimes one or more CNAMEs that point at records they host). Use their record verbatim — the private key stays inside their platform and you never see it.

If you run your own mail server (Postfix with OpenDKIM, a self-hosted gateway, or any platform that signs locally), you generate the key pair yourself. The IntoDNS.ai DKIM generator does this safely: it creates a genuine 2048-bit RSA key pair in your browser using the Web Crypto API. The private key is generated on your device and is never uploaded — you copy it onto your mail server, and you publish only the public half in DNS. Pick a selector, choose 2048-bit, and it outputs both the ready-to-publish TXT record and the PEM private key.

Step 2: Publish the public key in DNS

The public key goes into a TXT record at a special host built from your selector: host default._domainkey, value v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...IDAQAB.

The selector part (here default) is a label you or your provider choose — it lets one domain hold several DKIM keys at once. The record tags are simple: v=DKIM1 is the version, k=rsa is the algorithm, and p= is the base64-encoded public key. A 2048-bit key is longer than 255 characters, so most DNS panels split the value into multiple quoted strings automatically — paste the whole value as-is and let the panel handle the split.

Step 3: Turn on signing and verify

In your mail platform, point DKIM signing at the same selector and private key you used above. Send a test message to yourself and check the raw headers for a DKIM-Signature: line and an Authentication-Results: header showing dkim=pass. Then confirm the DNS side with the IntoDNS.ai DKIM checker: enter your domain and it discovers common selectors automatically, or type your exact selector for a direct lookup. It validates that the published key is present and well-formed, and flags a revoked key (empty p=) or a leftover test-mode flag (t=y).

Common mistakes

• DKIM passes but DMARC fails. Your provider is signing with its own domain (d=esp.com) instead of yours. Enable custom/branded domain authentication so the d= tag matches your From domain.
• Signature fails after a mailing list adds a footer. Body modification breaks the hash. Use c=relaxed/relaxed canonicalization; severe rewrites need ARC.
• Key split incorrectly. Verify with dig +short TXT default._domainkey.example.com that the value reassembles cleanly.

DKIM is the more resilient of the two authentication signals — it survives forwarding where SPF breaks — so a working, aligned DKIM keeps DMARC passing even when SPF fails. Pair it with SPF, a DMARC policy, and read the full DKIM setup guide for key rotation and length guidance.