What is DKIM and how to set it up?

Email deliverability is crucial for any sender reaching out to leads, customers and audiences via email. However, technical aspects need to be addressed to ensure your emails reach their intended recipients. One of these crucial technical aspects is setting up DKIM records.

In this article, you'll find out:

What a DKIM record is and why it's important

How to set up your DKIM record for:

   Google

   Microsoft

   Zoho Mail

   Other providers

Common questions on DKIM Records

What is a DKIM Record?

Your DKIM (DomainKeys Identified Mail) is a record that helps email providers differentiate between real emails and potential spam or phishing attempts. It does this by making it harder to fake the sender's email address.

With your DKIM set up correctly, you're putting a digital "seal" on your emails. This "seal" is checked against a public cryptographic key in the sender's DNS records.

This means that when the email is received, the server can check that the "seal" is genuine and that the email really comes from the domain it claims to come from.

DKIM reduces your chances of getting marked as spam, because it confirms you're the real sender and not a spammer.

Why do you need to set up your DKIM?

You need to set up your DKIM to:

  1. Verify your sender identity: DKIM checks if emails are genuine and haven't been tampered with, preventing email spoofing and forging.
  2. Boost your sender reputation: Setting up your DKIM ensures that your emails are delivered, protects your sender reputation, and helps you avoid spam.
  3. Comply with security rules: DKIM works with other settings like SPF and DMARC to protect your email, making sure you follow industry or regional authentication standards.

How to Use a DKIM Generator?

To use a DKIM generator, you need to follow 3 simple steps.

Here's what a typical DKIM record generator looks like:

Step 1: Add your domain

Your domain is the second half of your email address. 

For example, to set up the DKIM for name@lemwarm.com, lemwarm.com would be my domain.

Step 2: Choose a DKIM Selector

If your DKIM generator is asking for your selector, it means you have to choose a unique identifier for your DKIM key. The selector isn't something you search for, but rather something you create.

Here's how you can do it:‍

1. Check existing records If you might already have a DKIM setup:

Check your domain's DNS records. DKIM records are saved as TXT records.

If there's an existing record named something like "selector1._domainkey.yourdomain.com", then "selector1" is your selector.

Alternatively, if you use an email service provider (ESP) or another third-party tool to send emails, you might find the selector information in the dashboard or settings of that tool.

2. Decide on a new selector

If you're setting up DKIM for the first time or adding a new DKIM key, you can choose the selector name.

It's usually a simple string, like "default", "mail", "2023", or the name of your ESP ("mailchimp", "sendgrid"). Make sure it's unique if you have multiple DKIM keys for different purposes or services.

3. Enter your selector

Once you've identified or chosen your selector, enter it into the DKIM generator. The tool will use this selector to create the right DKIM DNS record that you can add to your domain's DNS.‍

Remember, the selector helps differentiate and identify specific DKIM keys, especially if you have multiple keys for your domain. It's a part of the process that verifies emails from your domain as authentic.‍

Step 3: Choose your DKIM Key Length

The DKIM key length is the size of the cryptographic key used in the DKIM signing process.

There are two common key lengths for DKIM:

  1. 1024-bit:
    A widely used standard that offers good security and performance, but may be vulnerable to dedicated attackers.
  2. 2048-bit:
    A longer key that provides enhanced security compared to 1024-bit keys. Many organizations are moving to this key length due to advancements in technology and potential vulnerabilities with shorter keys. However, some email systems may not support DKIM signatures created with 2048-bit keys.

For better security, use 2048-bit keys if you can. But make sure they work with your email system and the people you email. Check how long your keys should be every once in a while, because best practices change over time.

How to set up your DKIM record on Google?

Step 1: Sign in to the Google Admin console

Step 2: Navigate to the “Authenticate email” section

DKIM authentication

Step 3: Sign in to your domain provider

Step 4: Navigate to the page to edit your domain’s DNS records

It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.

Step 5: Add your DKIM to your DNS records

It should look like this:

Copy-paste the following text:

TYPE
TXT
HOST NAME
google._domainkey
VALUE
[your-google-TXT-record-value]

Step 6: Check that your new setup works

You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.

How to set up your DKIM record on Microsoft?

Step 1: Sign in to the Google Admin console

Step 2: Navigate to the “Authenticate email” section

DKIM authentication

Step 3: Sign in to your domain provider

Step 4: Navigate to the page to edit your domain’s DNS records

It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.

Step 5: Add your DKIM to your DNS records

It should look like this:


Copy-paste the following text:

TYPE
CNAME
HOST NAME
selector1._domainkey
VALUE
[your-microsoft-CNAME-record-value]
TYPE
CNAME
HOST NAME
selector2._domainkey
VALUE
[your-google-CNAME-record-value]
Replace [your-google-TXT-record-value] by the content you have here:

Step 6: Check that your new setup works

You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.

How to set up your DKIM record on Zoho mail?

Step 1: Sign in to the Google Admin console

Step 2: Navigate to the “Authenticate email” section

DKIM authentication

Step 3: Sign in to your domain provider

Step 4: Navigate to the page to edit your domain’s DNS records

It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.

Step 5: Add your DKIM to your DNS records

It should look like this:

Copy-paste the following text:

TYPE
TXT
HOST NAME
zoho._domainkey
VALUE
[your-Zoho-TXT-record-value]
Replace [your-Zoho-TXT-record-value] by the content you have here:

Step 6: Check that your new setup works

You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.

How to set up your DKIM record on other providers?

Step 1: Sign in to the Google Admin console

Step 2: Navigate to the “Authenticate email” section

DKIM authentication

Step 3: Sign in to your domain provider

Step 4: Navigate to the page to edit your domain’s DNS records

It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.

Step 5: Add your DKIM to your DNS records

It should look like this:

Copy-paste the following text:

TYPE
TXT
HOST NAME
VALUE
[your-provider-TXT-record-value]
Replace [selector] and [your-google-TXT-record-value] by the content given by your email provider

Step 6: Check that your new setup works

You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.

Common DKIM questions

1. What is the DKIM email authentication key?

In DKIM, the email authentication "key" refers to a pair of cryptographic keys: a private key and a public key.

  1. Private Key: This is kept secret by the sending server. Every sender's emails are signed with this key.
  2. Public Key: This is published in your DNS records as a sender. Your audience's serves retrieves this key to verify the digital signature attached to your email.

When your DKIM is correctly set up, the sending server signs the email using the private key. When the email is received, the receiving server finds the corresponding public key in the DNS records of the sending domain and uses it to verify the digital signature.

If the signature is valid, it indicates that your email is legitimate and helps you avoid spam.

2. How to Set Up DKIM on GoDaddy?

If you're using GoDaddy as your DNS provider, follow the specific instructions in this linked guide. Typically, you will log in to your GoDaddy account, navigate to the DNS management page, and add a new TXT record with your SPF details.

Here are some more guides for:

How to add your DKIM records on Namecheap
How to add your DKIM records on Cloudflare

3. Can You Have Multiple DKIM Records?

Yes, you can have multiple DKIM records for a domain. This is often necessary if you are using more than one email service provider. Each provider will have its unique DKIM signature, and you'll need to add each one to your DNS.

4. How to set up multiple DKIM records?

Yes, you can have multiple DKIM records for a domain. Multiple DKIM records are typically used when you have different sending sources or third-party services that send emails on behalf of your domain. Each sender or service can have its own unique DKIM selector and corresponding record.

Here's how to set up multiple DKIM records:

1. Determine the Need for Multiple DKIM Records:

You might need multiple records if you're using various email services (like Mailchimp, SendGrid, etc.) or multiple internal sending systems, and you want each to have its own DKIM signature.

2.  Choose a Selector for Each DKIM Record:

The selector is a string used to differentiate between different DKIM records in your domain's DNS. For example, if you use Mailchimp and SendGrid, you might choose selectors like mailchimp and sendgrid.

3. Generate the DKIM Keys:

Most third-party email services will provide you with the necessary DKIM information (both the private and public keys). If you're setting it up internally, you'll need to use tools or software to generate the DKIM key pair.

4. Add DKIM Records to DNS:

With your selector and DKIM information in hand, you'll create TXT records in your domain's DNS. The name of the record typically follows the format: selector._domainkey.yourdomain.com. The value of the TXT record will be the public key provided by the email service or generated by your tool.

5. Ensure Correct Syntax:

Make sure the DKIM record is correctly formatted. It will generally look like this:

v=DKIM1; k=rsa; p=[your public key here]

6. Test the Setup:

After setting up the DKIM records, it's a good idea to send test emails to ensure they're being correctly signed and that recipients can validate the signatures.

7. Rotate and Maintain:

For security reasons, periodically rotate your DKIM keys. This involves generating new keys, updating your DNS records, and updating the sending service to use the new private key.

By following these steps for each sending source or service, you can maintain multiple DKIM records for a single domain, enhancing the deliverability and trustworthiness of the emails you send.

5. What is different between SPF and DKIM?

While both aim for secure email communication, their mechanisms and purposes differ. Both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are technical settings that help you verify your identity as a sender. 

What's the difference in their purpose?

SPF → This method allows the domain owner to specify which servers are sanctioned to send emails for a domain.

DKIM → Using cryptographic signatures, DKIM ensures that an email is genuinely from the claimed domain and its data remains unchanged in transit.

What's the difference in their mechanism?

SPF → The domain owner lists authorized servers in DNS using a TXT record. When the recipient's server receives an email, it queries this record to verify if the email came from an allowed server.

DKIM → The sending server appends a DKIM-signature header field to the email. This signature is a hash created using a private key. The recipient, or verifiers, retrieve the domain's cryptographic public key from the DNS to validate this signature.

What's the difference in their fields and selectors?

SPF → This method operates based on the "MAIL FROM" domain.

DKIM → The DKIM header contains several tags. One crucial tag is the "selector" (often referred to as the DKIM selector), which helps the receiver locate the appropriate DKIM record in the DNS for signature verification.

What's the difference in their limitations?

SPF → It checks only the envelope sender, not the visible "From" header, potentially allowing some spoofing instances.

DKIM → While it verifies the integrity of the email content, it doesn't inherently specify which servers are authorized to send emails from the domain.

What other technical settings do I need to complete?

If you've just set up your DKIM records, congrats on the first step!

To keep your emails out of spam and ensure they reach your audience's inboxes, there are 4 other technical settings to complete:

Once you've completed your setup, use this free Deliverability Tester to ensure all settings are in place!

It takes 3 minutes to avoid spam forever

Discover how to apply these tips on lemwarm and avoid spam forever.