DKIM records, explained
What a DKIM record does, how it signs your outgoing email to prove it's genuine, and why it matters for email deliverability.
Spam filters are increasingly sophisticated, and one of the things they check is whether an email has been cryptographically signed to prove it's genuine. DKIM provides that signature. This guide explains what DKIM is and why it matters for your business email.
Quick summary
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to emails sent from your domain. Receiving servers use a public key stored in your DNS to verify the signature. If it matches, the email is trusted. DKIM helps prevent spoofing and keeps your emails out of spam folders.
What DKIM stands for
DKIM stands for DomainKeys Identified Mail. It's an email authentication standard that lets senders attach a digital signature to their outgoing messages.
How DKIM works
DKIM uses a pair of cryptographic keys:
- A private key stored on your email provider's sending server
- A public key published in your DNS as a TXT record
When your email provider sends an email on your behalf, it creates a unique digital signature using the private key and attaches it to the email headers. When the email arrives at the recipient's server, that server looks up the public key in your DNS and uses it to verify the signature.
If the signature is valid, the email is confirmed as genuine. If the signature is missing or doesn't match, the email may be treated with suspicion.
You send an email via your email provider (e.g., Google Workspace).
Your provider signs the email with the private DKIM key stored on their servers.
The signed email is delivered to the recipient's server.
The recipient's server looks up your domain's DKIM public key in DNS.
The signature is verified. If it matches, the email passes DKIM authentication.
What a DKIM record looks like
A DKIM record is a TXT record in DNS. It has a specific format that includes a selector — a prefix chosen by your email provider to identify which key to use (useful if you have multiple email services).
The DNS record name looks like:
[selector]._domainkey.yourbusiness.comFor example, Google Workspace uses google as the selector:
google._domainkey.yourbusiness.comThe value of the record contains the public key — a long string of characters that looks like:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...You don't need to understand the key itself — your email provider generates it and tells you exactly what to add in DNS.
How to add a DKIM record
Your email provider's setup guide will walk you through this. Generally:
Log in to your email provider's admin console (e.g., Google Admin at admin.google.com).
Find the DKIM authentication setting — usually under email settings or security.
Generate your DKIM key within the provider's admin panel. They'll show you the DNS record to add.
Add the TXT record to your domain's DNS at your registrar or Cloudflare.
Activate DKIM back in the admin console (some providers require you to enable it after the DNS record is verified).
We handle this as part of setting up or migrating email hosting.
Multiple DKIM records
Unlike SPF, you can have multiple DKIM records — one per email service. Each uses a different selector, so they don't conflict. If you use both Google Workspace and a newsletter tool like Mailchimp, you'd have separate DKIM records for each.
Common questions
Related guides
- SPF records, explained
- DMARC records, explained
- Email DNS records (MX, SPF, DKIM, DMARC)
- DNS records explained (A, CNAME, MX, TXT)
- Why your emails land in spam (deliverability)
Need a hand?
Learn more
SPF records, explained
What an SPF record is, how it works, and why setting it up correctly is essential for keeping your business email out of spam folders.
DMARC records, explained
What a DMARC record does, how it protects your domain from email spoofing, and how to set up a sensible policy for your business.