DKIM Setup Helper
Look up an existing DKIM record, verify it is publishing correctly, and get guidance on setting up DKIM for common email providers.
Google Workspace selector: google
- Go to Google Admin → Apps → Google Workspace → Gmail → Authenticate email
- Click "Generate new record" and choose 2048-bit key
- Copy the DNS TXT record shown (host:
google._domainkey) - Add it to your DNS as a TXT record
- Return to Google Admin and click "Start authentication"
Microsoft 365 selector: selector1 / selector2
- Go to Microsoft 365 Admin Center → Settings → Domains → select your domain
- Under "DNS records", find the two DKIM CNAME records (selector1 and selector2)
- Add both CNAME records to your DNS provider
- In Microsoft 365 Admin → Security → Email & Collaboration → Policies → DKIM, enable DKIM for your domain
Mailchimp selector: k1
- In Mailchimp, go to Account → Domains
- Click "Authenticate" next to your domain
- Mailchimp will show you two CNAME records to add to DNS
- Add both CNAME records to your DNS provider
- Click "Authenticate Domain" in Mailchimp after DNS propagates
SendGrid selector: s1 / s2
- In SendGrid, go to Settings → Sender Authentication → Authenticate Your Domain
- Enter your domain and click "Next"
- Copy the 3 DNS records SendGrid provides (2 CNAME + 1 CNAME for DMARC)
- Add them to your DNS provider
- Click "Verify" in SendGrid after DNS propagates
Brevo (Sendinblue) selector: mail
- In Brevo, go to Settings → Senders & IP → Domains
- Click "Add a domain" and enter your domain
- Brevo will show DNS records to add (TXT for DKIM and SPF)
- Add the records to your DNS provider
- Click "Verify" in Brevo
About DKIM Setup
DKIM (DomainKeys Identified Mail) lets you add a digital signature to outgoing emails. The sending mail server signs each message with a private key, and the public key is published in a DNS TXT record. Receiving servers use the public key to verify the signature, confirming that the email came from an authorised sender and was not altered in transit.
How DKIM works
- The sending server selects a key pair (private + public) for a selector (e.g.
google). - It signs a hash of key email headers and the body using the private key.
- The signature is added to the email as the
DKIM-Signatureheader. - The receiving server looks up
{selector}._domainkey.{domain}in DNS to retrieve the public key. - It uses the public key to verify the signature. A valid signature means the email is authentic and unmodified.
Key rotation
DKIM keys should be rotated periodically — typically every 6–12 months. This limits the impact of a key compromise and is required by some email security standards. When rotating: publish the new key under a new selector, update your mail server to use the new key, then wait for DNS to propagate before removing the old selector's record.
RSA vs Ed25519
Traditional DKIM uses RSA-2048 keys. Ed25519 (an elliptic curve algorithm) produces much shorter signatures and is more efficient to verify, but has limited support across older mail servers. A dual-signing setup (both RSA and Ed25519 selectors) provides the best of both worlds, though most organisations use RSA-2048 only.