Short answer. DKIM (DomainKeys Identified Mail) signs email cryptographically: the mail server adds a digital signature to the header with a private key, and the recipient verifies it with the public key from your DNS. Setup is three steps: generate a key pair, publish the public key as a TXT record at selector._domainkey.domain, and enable signing on the mail server.
How DKIM works
When sending, the server hashes selected headers and the message body, encrypts the hash with the private key, and places the result in the DKIM-Signature header. The recipient reads the selector from the signature, fetches the public key from DNS and verifies the message was neither forged nor altered in transit.
Step 1. Generate a key pair
Most providers (Google Workspace, Microsoft 365, Mailgun) generate the key automatically and hand you a ready TXT record. If you do it manually:
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
# the p= value for the DNS record comes from the public keyStep 2. Publish the public key in DNS
The selector is an arbitrary name (for example mail, s1, google) that lets you have multiple keys. The record is published like this:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
# Verify the published key:
dig txt selector._domainkey.example.com
dig +short txt google._domainkey.example.comStep 3. Enable signing on the server
- Google Workspace: Apps → Gmail → Authenticate email → Generate new record → Start authentication.
- Microsoft 365: Defender portal → DKIM → enable for the domain.
- Transactional services (Mailgun, SendGrid, Postmark): follow the domain verification wizard.
DKIM record parameters
| Tag | Value | Purpose |
|---|---|---|
| v | DKIM1 | Version (required) |
| k | rsa | Key type |
| p | base64 key | Public key |
| t | y | Test mode (optional) |
| (empty p=) | — | Key revocation |
Use a 2048-bit key. 1024-bit keys still appear but are considered weak and are gradually losing trust.
Never publish the private key in DNS — only the public key (p=) goes there. The private key stays on the mail server and is shared with no one.
Common mistakes
- Split long TXT record — DNS providers chop the string into parts; join them without stray quotes.
- Wrong selector — the DNS name must exactly match the one in DKIM-Signature.
- Key not propagated — wait for TTL and verify with dig.
- Signing enabled but DNS forgotten — the signature exists but verification fails.
How enterno.io helps with DKIM
The /email-check tool checks for a DKIM record at the given selector, validates the key syntax and warns you if the record is split, empty or the selector does not match. Together with the SPF and DMARC checks you see the whole authentication picture in one place. enterno diagnoses — publishing the TXT in the zone is done by the domain owner. Free: 48+ tools and a DNS check.
FAQ
What is a DKIM selector?
The selector is a label in the DNS record name (selector._domainkey.domain) that lets you keep several DKIM keys at once, for example for different services or for key rotation.
How many DKIM records can I have?
As many as you like — one per selector. This is handy so each sender signs with its own key.
Why does DKIM pass but the email still lands in spam?
DKIM is only part of authentication. Also check SPF, DMARC and IP/domain reputation. More in why emails go to spam.
Check DKIM: run /email-check with your selector and confirm the key is published correctly. See also email spoofing prevention.