How to set up DKIM (selectors, keys and rotation)
DKIM cryptographically signs your mail so receivers can verify it wasn't forged or altered. Here's how selectors and keys work, and how to publish them correctly.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message. Your mail server signs outgoing mail with a private key; receivers fetch the matching public key from your DNS and verify the signature — proving the mail really came from your domain and wasn't altered in transit.
Selectors and where the key lives#
A DKIM public key is a TXT record at <selector>._domainkey.yourdomain.com. The selector is a label your provider chooses, so you can run multiple keys at once (e.g. one per sending service, or old + new during rotation).
google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."Because the selector is chosen by the sender, you can't enumerate DKIM the way you can SPF/DMARC — you check the specific selector your provider uses.
Setting it up#
- In your email provider (Google Workspace, Microsoft 365, SendGrid, etc.), turn on DKIM / 'authenticate domain'. It gives you the selector and the public key (or a CNAME to their hosted key).
- Publish the TXT (or CNAME) record exactly as provided — long keys are often split across strings; keep them intact.
- Wait for DNS to propagate, then enable/activate signing in the provider.
- Send a test message to a mailbox you control and confirm DKIM=pass in the headers.
Key rotation#
- Use 2048-bit RSA keys where supported (1024-bit is the weak legacy default).
- Rotate keys periodically by publishing a new selector, switching signing to it, then removing the old one after mail in flight has cleared.
- Managed providers often rotate for you via a CNAME to their hosted key — set it once and they handle rotation.
Frequently asked questions
▸ ▾ Why can't your tool always find my DKIM?
DKIM keys live under a selector that the sender chooses, so there's no fixed location to look up. Automated checks probe common provider selectors; if you use a custom one, DKIM may be configured even when a generic probe reports 'not found'.
▸ ▾ Do I need DKIM if I already have SPF?
Yes. SPF authorises servers; DKIM proves the message content wasn't altered and survives forwarding better than SPF. DMARC needs at least one of them to align — and Gmail/Yahoo bulk rules require both SPF and DKIM.
▸ ▾ How many DKIM keys can I have?
As many as you have selectors. It's normal to run several — one per sending service, plus a second during rotation.
Do it with a free tool
Related guides
Published 2026-07-09 · Updated 2026-07-09 · By Crawlsonar.