DKIM Configuration Guide

DomainKeys Identified Mail (DKIM) adds a digital signature to your emails using public-key cryptography. The receiving server can verify this signature to confirm:

1. The email actually came from your domain 2. The email wasn't modified in transit

DKIM works alongside SPF to provide stronger email authentication.

1. Your mail server signs outgoing emails with a private key 2. The signature is added as a DKIM-Signature header 3. Your public key is published in DNS as a TXT record 4. Receiving servers fetch the public key and verify the signature

If the signature matches, the email is verified. If not, it may be spam or tampered.

DKIM public keys are stored as TXT records at a specific subdomain:

1. Go to Google Admin Console → Apps → Google Workspace → Gmail 2. Click "Authenticate email" 3. Select your domain and click "Generate new record" 4. Choose your DKIM key bit length (2048 recommended) 5. Copy the DNS host name (selector._domainkey) 6. Copy the TXT record value 7. Add this TXT record to your DNS 8. Wait for propagation, then click "Start Authentication"

1. Go to Microsoft 365 admin center 2. Navigate to Settings → Domains → select your domain 3. Click "DNS Records" and find the DKIM records 4. Add both CNAME records to your DNS:

After adding the DNS records:

1. Wait for DNS propagation (up to 48 hours, usually faster) 2. Send a test email to mail-tester.com or check-auth.org 3. Use IntoDNS.ai to verify your DKIM record is discoverable 4. Check the email headers for DKIM=pass

Common issues: • Record not found: Check the selector name and propagation • Signature mismatch: Ensure the DNS record matches your mail server's key • Key too short: Use 2048-bit keys (1024-bit is deprecated)