DKIM setup guide

Your sending system signs outgoing mail with a private key. Receivers look up the matching public key in DNS (a TXT record at a selector under _domainkey) and verify the signature. A valid signature strongly supports inbox placement when combined with SPF and DMARC.

What you publish in DNS

ESPs and mail servers give you a hostname (selector) and a TXT value containing the public key and signing parameters (p=, k=, etc.). Add exactly what they provide; a typo breaks verification for all mail using that selector.

Alignment with DMARC

For strict DMARC, the domain in the DKIM signature’s d= tag should align with the visible From domain (or your DMARC policy’s relaxed rules). Misaligned signatures do not satisfy DMARC on the DKIM path even if the signature is cryptographically valid.

Key rotation and selectors

Use separate selectors when rotating keys so you can publish the new key, cut over sending, then remove the old record. Keep key lengths current with your provider’s recommendations (often 2048-bit RSA for new setups).

Common issues

• DNS TXT split across multiple strings pasted incorrectly
• Signing disabled or wrong domain selected in the ESP
• Third-party senders not configured to DKIM-sign as your domain
• Forwarding breaking the signature (DMARC and ARC policies matter here)

Check your domain to see whether DKIM is detected and how it fits with SPF and DMARC.