What is DKIM?
Domain Keys Identified Mail (DKIM) helps protect against email spamming and phishing attempts using your domain. It provides a method for validating a domain name identity associated with a message through cryptographic authentication.
DKIM uses a pair of keys, one private and one public, to verify messages.
A private domain key adds an encrypted signature header to all outgoing messages sent from your email domain.
A matching public key is added to the Domain Name System (DNS) record for domain and email servers that receive messages from your domain use the public key to decrypt the message signature and verify the source of the signed message.
Create a DKIM TXT record
The process of setting up DKIM involves items detailed in the following steps:
- Choose a DKIM selector.
- Generate a public-private key pair.
- Publish the selector and public key by creating a DKIM TXT record.
- Attach the token to each outgoing email.
What is a DKIM selector?
A selector is specified as an attribute for a DKIM signature and is recorded in the DKIM-Signature header field.
Because DKIM selectors give different DNS query names, the system uses the selector as an additional name component for validation. Under each domain name, there might be one too many unique DKIM DNS records associated with different selectors.
Selectors enable multiple keys under a domain name, which can provide separate signatory controls among departments, date ranges, or third parties acting on behalf of the domain name owner. No two services or products should use the same selector.
A selector can be anything you want, such as a word, number, or a string of letters and numbers.
For example, if you choose
oct2019 for your selector, the domain name would become
Before you begin
Before you log in to the control panel and create a DKIM record, there are a couple of things that you need:
- Choose a simple, user-defined text string to be your DKIM selector. The selector is appended to the domain name to help identify the DKIM public key. See the previous section for more information about choosing a DKIM selector.
- Generate a public-private key pair by using a tool such as ssh-keygen on Linux or PuTTYgen on Windows. For help creating key pairs, see this article Generate RSA keys with SSH by using PuTTYgen.
*NOTE TO GMAIL USERS - Gmail uses default DKIM
If you don't generate your own DKIM domain key, Gmail signs all outgoing messages with this default DKIM domain key: d=*.gappssmtp.com
Messages sent from servers outside of mail.google.com won't be signed with the default DKIM key.
Steps on how to create a DKIM TXT record
Keep in mind that every domain provider should have specific steps for setting up DKIM in their platform. These should be relatively easy to find with a Google search.
Here is the basic outline:
- Generate the domain key for your domain.
- Add the public key to your domain's DNS records. Email servers can use this key to verify your messages' DKIM signatures.
- Turn on DKIM signing to start adding a DKIM signature to all outgoing messages
Click the button below for even more detailed information from our friends at Google:
We also recommend setting up these security methods along with DKIM:
- Sender Policy Framework (SPF) - SPF specifies which domains can send messages for your organization.
- Domain-based Message Authentication, Reporting & Conformance (DMARC) - DMARC specifies how your domain handles suspicious emails.