How To Configure DKIM: The Basics

Understand how cryptographic signatures protect your emails from tampering and forgery before you attempt to configure your DNS.

1
How DKIM Works (Private vs Public Keys)
DKIM uses asymmetric cryptography. Your email provider (e.g., Google Workspace) holds a Private Key used to mathematically "sign" every outbound email. You publish the matching Public Key in your DNS.
2
What is a Selector?
A single domain can send emails from multiple services (e.g., Google, Mailchimp, Zendesk). Each service needs its own DKIM key. The Selector is a unique name (like google or s1) that tells the receiving server exactly which public key to look for in your DNS.
Without knowing your specific Selector, it is impossible to lookup or validate a DKIM record. It is not located at the root of your domain.

Generating Your DKIM Keys

You cannot invent a DKIM record. It must be generated by the platform that actively sends your emails.

1
Access your Email Provider
Log in to the admin console of the service you use to send emails. Here are common paths:
  • Google Workspace: Admin Console > Apps > Google Workspace > Gmail > Authenticate email (DKIM). Click "Generate New Record".
  • Office 365: Microsoft 365 Defender > Email & Collaboration > Policies & Rules > Threat Policies > DKIM.
  • cPanel: Email > Email Deliverability > Click "Manage" next to your domain.
2
Copy the Values Provided
When you generate the key, your provider will give you two pieces of information:
1. The Hostname / Selector (usually ending in ._domainkey)
2. The TXT Value (a very long string starting with v=DKIM1; k=rsa; p=...)

Publishing to your DNS

The final step is to place the generated Public Key into your domain's DNS zone file.

1
Create a TXT or CNAME Record
Log in to your DNS manager (e.g., Cloudflare, GoDaddy, Namecheap). Create a new record based on what your provider gave you. (Most use TXT, but some like Office 365 use CNAMEs).
2
Format the Hostname Correctly
If your provider gave you a selector called google, the Name/Host field must be exactly:
Name/Host: google._domainkey
Some DNS managers automatically append your domain to the hostname. Do not type google._domainkey.yourdomain.com into the name field unless your specific host requires it.
3
Paste the Long String
Paste the entire cryptographic string into the Value/Content field and save the record. Ensure no spaces are accidentally added.
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQE...

Live DKIM Validator

Test the configuration you just published. Enter your Selector and Domain below to perform a live cryptographic validation.

._domainkey.

Raw DKIM Public Key Record:

Diagnostic Log:

    Expert Recommendation

    Comprehensive Guides

    Learn exactly how to configure DKIM through our detailed guides that demystify cryptographic signatures, public keys, and DNS record formatting.

    Public Key Validation

    Master how to configure DKIM by verifying that your public cryptographic key is accurately published in your DNS without syntax or copy-paste truncation errors.

    Selector Identification

    Understanding selectors is the hardest part of learning how to configure DKIM. Our tool helps you instantly query specific ._domainkey prefixes deployed by your host.

    Live DNS Resolution

    Skip the propagation waiting game. When learning how to configure DKIM, use our direct DNS engine to bypass ISP caches and fetch your exact live configuration.

    Key Revocation Checks

    Part of knowing how to configure DKIM securely is knowing how to revoke old keys. Our analyzer instantly detects empty p= tags, ensuring retired keys are invalidated.

    Inbox Deliverability

    Failing to understand how to configure DKIM results in emails landing in spam. Use our tool to align your domain keys and secure strict DMARC compliance.