DKIM setup protects your email authentication and keeps messages out of spam. The process stays consistent across platforms (generate keys, publish DNS records, verify), but record types and locations shift depending on your provider.
Before you start — what you need to know
Every DKIM setup requires three components:
- A private key (which remains on your email server)
- A public key (which is registered in DNS)
- A selector (which identifies the specific key to use)
Most cloud providers handle key generation (though some, like Google Workspace, require you to click “Generate” first). Your job is to publish the DNS record. Providers use either TXT records (paste the full key) or CNAME records (point to their hosted key).
Step 1: Generate your DKIM key pair
Key generation depends on your provider — some automate it, others need manual steps.
Google Workspace
- Log into Admin Console → Apps → Google Workspace → Gmail → Authenticate email
- Click “Generate new record” to create your key
- Copy the TXT value provided (starts with v=DKIM1; k=rsa; p=)
Microsoft 365
- Keys are pre-generated in your tenant
- Navigate to Defender portal and copy the two CNAME records shown
MailEnable (dedicated mail server)
- Open domain properties in MailEnable management console
- Use built-in DKIM configuration (generates keys automatically)
- Manual generation with OpenSSL is optional if you prefer full control
Self-hosted mail servers (using Rackspace Cloud DNS or similar)
- Generate keys with ssh-keygen or PuTTYgen
- Choose 2048-bit RSA (recommended), though 1024-bit still works with major providers if your host has limitations
External ESPs (Sitecore Send, similar platforms)
- Copy the provided key from your ESP dashboard
- Use their pre-defined selector (typically ms._domainkey)
Step 2: Add DNS records based on your provider
Record type is determined by your email provider, not your DNS host (all major registrars support both TXT and CNAME).
Google Workspace
| Field | Value |
| Type | TXT |
| Host/Name | google._domainkey |
| Value | Full TXT value from Admin Console |
After publishing, return to Admin Console and click “Start authentication.”
Microsoft 365
Publish two CNAME records per domain (copy exact values from Defender portal—don’t manually construct them).
Selector 1
| Field | Value |
| Type | CNAME |
| Host/Name | selector1._domainkey |
| Points to | Value from portal (modern format: …dkim.mail.microsoft with dynamic characters) |
Selector 2
| Field | Value |
| Type | CNAME |
| Host/Name | selector2._domainkey |
| Points to | Value from the portal |
Older tenants may still see …onmicrosoft.com targets — always copy what the portal displays for your specific domain.
If you’re using Rackspace Hosted Email or Office 365 through Rackspace, contact their Cloud Office team (they provide DKIM TXT values through a separate workflow).
Rackspace Cloud DNS (self-hosted mail server)
| Field | Value |
| Type | TXT |
| Host/Name | selector._domainkey (replace “selector” with your chosen name) |
| Value | v=DKIM1; p=[your-public-key] |
External ESPs (Sitecore Send, SendGrid, Amazon SES)
Follow your ESP’s exact instructions for record type — don’t substitute.
- SendGrid, Amazon SES Easy DKIM: Publish CNAME records pointing to their hosted keys
- Sitecore Send, most others: Publish TXT records with their provided selector (usually ms._domainkey)
Never convert CNAME to TXT (or vice versa) unless your provider explicitly documents both methods as valid options.
Step 3: Verify your DKIM record
DNS propagation typically completes within 24-48 hours, though detection can happen in minutes to a few hours. Check your ESP dashboard for verification status (look for a green checkmark or “authenticated” indicator).
Test authentication with our email deliverability test to confirm dkim=pass appears in headers across major providers. Once DKIM is active, gradually increase your sending volume to build sender reputation (critical for new domains).
Our email warmup automates this process — authenticated emails can still land in spam if your domain lacks engagement history with mailbox providers.
Fix authentication issues before they hurt delivery
DKIM configuration errors (wrong record types, incomplete keys, DNS propagation delays) block legitimate emails from reaching inboxes.
If your setup isn’t working after 48 hours, our deliverability experts can diagnose the exact issue and fix your records at no cost.
Schedule a consultation with an email deliverability consultant today, and we’ll verify everything is properly authenticated.
Frequently asked questions
Here are some commonly asked questions about this topic:
Yes. Different selectors manage separate keys for departments or third-party senders (marketing._domainkey, sales._domainkey).
All major DNS hosts support both TXT and CNAME. Use the exact record type specified by your email provider (not your DNS host’s preference).
Yes. DKIM authenticates your domain, but DMARC instructs receivers on what to do when authentication fails (reject, quarantine, or allow).
No. MailEnable has built-in DKIM configuration that generates keys through its management console (manual generation is optional).
