ValidEmailChecker

How to set up DKIM authentication for your domain

Last updated May 19, 2026Deliverability

DKIM setup happens per sending platform. Each ESP that signs mail for your domain needs its own DKIM key. You generate the key pair inside the ESP's dashboard, then publish the public key to your DNS.

The general flow

  1. Generate a key pair in your ESP. Most ESPs have a "Domain Authentication" or "Sender Identity" section. Initiate DKIM setup, and the ESP creates a public/private key pair while keeping the private key.
  2. Get the public key and selector. The ESP tells you the selector name (something like s1 or sendgrid) and the public-key string. The DNS record you publish lives at <selector>._domainkey.yourdomain.com.
  3. Publish to DNS. Add a TXT record at the host shown (for example s1._domainkey) with the public key as the value.
  4. Verify in the ESP. Most ESPs have a "Verify DKIM" button that checks the DNS record. Once it confirms, the ESP starts signing your outbound messages.
  5. Repeat for every signing platform. Each ESP gets its own selector and key.

Platform-specific notes

  • Google Workspace. Admin Console → Apps → Google Workspace → Gmail → Authenticate email. Selector defaults to google.
  • Microsoft 365. Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → DKIM. Two selectors (selector1 and selector2) for rotation.
  • SendGrid. Settings → Sender Authentication → Authenticate Your Domain. Walkthrough includes CNAME records, their alternative to direct TXT for key management.
  • Mailgun. Sending → Domains → your domain → DKIM & SPF. They use a 1024-bit key by default. You can upgrade to 2048-bit.
  • Mailchimp. Account → Settings → Verified Domains → Authenticate.

Common DKIM setup mistakes

  • Pasted the key with line breaks or quotes. The public key string should be one continuous string. DNS UIs sometimes add quotes or wrap the value.
  • Multiple ESPs on the same selector. Each ESP needs its own selector. Two ESPs trying to write to default._domainkey will conflict.
  • Set up DKIM but forgot to enable signing. Some ESPs require an explicit "Enable signing" toggle after the DNS record verifies.
  • Key rotation not planned. Industry standard is to rotate DKIM keys at least annually. Plan for it from the start. Most ESPs support multiple active selectors specifically for rotation.

Verify after setup

Use the free DKIM record checker to confirm the record is published correctly. Then send a test message and inspect the headers. Authentication-Results: dkim=pass is what you want to see.

Related questions

What is DKIM and how does it authenticate your email?
How to set up an SPF record for your domain (step by step)
How to set up DMARC with a progressive policy (none → quarantine → reject)
What is an SPF record and why does it matter for email deliverability?
Back to all FAQs

Still stuck? Email support