How to Set Up DKIM Email Signing — 2026 Guide

Enterno.io Editorial Team

How to Configure DKIM for Your Domain

By Anatoly Oshmanovsky · Updated Apr 17, 2026

Key idea:

DKIM (DomainKeys Identified Mail) is a cryptographic signature proving a message truly originated from your domain and was not altered in transit. Without DKIM Gmail/Yandex throttle delivery. Process: generate RSA-2048 key pair → publish the public key as a selector._domainkey.example.com TXT record → enable signing in the mail server.

Below: step-by-step, working examples, common pitfalls, FAQ.

Try it now — free →

Step-by-Step Setup

Generate RSA-2048 key pair: openssl genrsa -out dkim.private 2048 && openssl rsa -in dkim.private -pubout -out dkim.public
Convert public key to DNS format: strip header/footer and newlines — single line
Create TXT record: name mail._domainkey (where mail is the selector), value v=DKIM1; k=rsa; p=PUBLIC_KEY
Enable signing in the mail server (Postfix: opendkim; Google Workspace: Admin → Apps → Gmail → Authenticate email)
Send a test email — check the DKIM-Signature header at the recipient
Verify via Enterno DKIM Checker — enter domain + selector
Confirm via check-auth@verifier.port25.com

Working Examples

Scenario	Config / Record
Google Workspace	`Admin console → Apps → Gmail → Authenticate email → Generate new record (selector = google)`
Yandex360	`Domain admin → Mail → DKIM. Selector = mail`
Mailgun	`TXT imported from Mailgun dashboard (selector = mx)`
Postfix + OpenDKIM	`opendkim-genkey -s mail -d example.com → copy mail.txt into DNS`
SendGrid	`DKIM host: s1._domainkey + s2._domainkey (2 records)`

Common Pitfalls

RSA key below 1024 bit — Gmail rejects. Minimum 1024, recommended 2048
Line breaks / whitespace inside the public key → invalid record
Selector must match DNS and message header — a typo breaks everything
After key rotation, keep the old selector for 14 days so mail in flight still validates
Never store the private key in git — compromise = spoofing

Public KeyDKIM key in DNS TXT record

Key LengthRSA-1024, 2048, or Ed25519

Quick TestDomain + selector = result

ValidationSyntax and parameters of DKIM TXT

Why teams trust us

DKIM

signature check

SPF

SPF + DMARC audit

DNS

TXT record check

Free

no limits

How it works

Enter domain and selector

Fetch DKIM TXT record

Validate public key

What is DKIM?

DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.

Selector-based Check

Specify domain and DKIM selector — get the public key and its parameters.

Key Analysis

RSA/Ed25519 key length, hash algorithm, flags, and validity period.

Recommendations

If key < 2048 bits — we issue a warning and key rotation instructions.

Instant Result

Direct DNS query in seconds — no waiting for TTL.

Who uses this

Email marketers

pre-send verification

Sysadmins

mail server setup

Security

phishing protection audit

Developers

email deliverability debug

Common Mistakes

❌

Using 1024-bit key1024 bits is considered weak. Gmail and Outlook require at least 2048 bits.

❌

Not rotating keysSame key for years — risk of compromise. Rotate keys every 6–12 months.

❌

Wrong selectorEach ESP uses its own selector. Ensure the correct key is in DNS for each.

❌

Not checking after ESP changeWhen changing email service, always verify the new provider's DKIM.

Best Practices

✓

Use 2048-bit keysThis is the current recommended minimum. Ed25519 is a more modern alternative.

✓

Set up DMARC with DKIMWithout DMARC, even correct DKIM signing doesn't protect from Display-From spoofing.

✓

Check after migrationWhen changing DNS provider, DKIM records are often lost. Check immediately after.

✓

Document all selectorsKeep a list of all DKIM selectors — useful during rotation and auditing.

Get more with a free account

DKIM check history and DNS monitoring for domain record changes.

Learn more

How-to

Glossary

Frequently Asked Questions

Do I need DKIM if I have SPF?

Yes. DMARC requires SPF OR DKIM to align. When the domain sends via a forwarder SPF often breaks while DKIM survives. Configure both.

What is a selector?

A label that lets you run multiple DKIM keys in parallel (e.g. one for marketing, one for transactional). DNS record name is <code>selector._domainkey.domain</code>.

How do I inspect someone else's DKIM?

Read the <code>DKIM-Signature: d=sender.com; s=selector</code> header. Or use <a href="/en/dkim">Enterno DKIM Checker</a>.

Can I have multiple DKIM selectors?

Yes. Each service (Mailgun, SendGrid, your SMTP) can use its own selector. That is normal.