DKIM Setup Guide 2026 — How to Configure DKIM Records

Published April 2026 · More articles

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails, allowing receiving servers to verify that the email was actually sent by your domain and wasn't modified in transit. Unlike SPF which validates the sending IP, DKIM validates the message content itself.

How DKIM Works

When you send an email, your mail server:

  1. Creates a cryptographic hash of the email content
  2. Signs the hash with your private DKIM key
  3. Adds a DKIM-Signature header to the email
  4. The receiving server looks up your public key in DNS at selector._domainkey.yourdomain.com
  5. Verifies the signature against the public key

Want to see DKIM headers in real emails? Use our Email Header Analyzer tool to inspect any email's DKIM signature.

Setting Up DKIM — Step by Step

Step 1: Generate Your DKIM Key Pair

Most email providers generate DKIM keys for you. For self-hosted mail servers:

openssl genrsa -out dkim-private.pem 2048
openssl rsa -in dkim-private.pem -pubout -out dkim-public.pem

The selector is a label you choose (e.g., default, mail2026, jan). You can have multiple selectors for different mail streams.

Step 2: Add the DKIM DNS Record

Create a TXT record at selector._domainkey.yourdomain.com:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...

Copy the public key (without the -----BEGIN/END lines) into the p= tag.

Step 3: Configure Your Mail Server

For Postfix, install OpenDKIM. For self-hosted setups on your own VPS, check our comparison of email providers to see which ones support custom DKIM.

Step 4: Verify Your DKIM Setup

Use our free tool to check your DKIM record. Enter your domain and we'll look for common DKIM selectors and verify the key is valid.

Common DKIM Issues

Key Too Short (1024-bit)

Keys shorter than 2048-bit are now considered insecure. Gmail and other providers may reject or flag emails signed with 1024-bit keys.

Wrong Selector

Each mail provider uses a different selector. Google uses google, Mailchimp uses k1, etc. Make sure you're checking the right selector.

Multiple DKIM Records

It's fine to have multiple DKIM records (one per selector), but each selector should have exactly one record.

Test Your Domain Now

Check DKIM & SPF & DMARC →

Related: Gmail deliverability · Outlook deliverability · ProtonMail setup