If your open rates are tanking, stop tweaking subject lines. Look at your DNS. Specifically, look at your DKIM record.
While SPF acts like a bouncer checking your IP address at the door, DKIM — DomainKeys Identified Mail — is the wax seal on the envelope. It proves that your message wasn't tampered with between your server and the recipient's inbox. In the early days of email, you could get away without it. As of 2024, Google and Yahoo stopped asking nicely. If you send bulk mail without a valid DKIM record, your messages are invisible to most inboxes — or worse, landing in spam while you're busy A/B testing your preheader text.
For a solo founder, getting DKIM configured is a ten-minute headache. For an MSP managing 500 domains, it's a persistent minefield of key rotation schedules, broken selectors, and cryptic DNS syntax errors that show up at 9pm on a Friday.
This is the operational manual for DKIM. We're going to skip the fluff and look at how your DKIM record actually works at the DNS level, how to handle the dreaded 255-character limit, and how to debug failures when the "green checkmark" in your ESP dashboard is actively lying to you.
What Is a DKIM Record?
A DKIM record is a DNS TXT record that publishes a public cryptographic key for your domain. Receiving mail servers use this key to verify that an email claiming to be from your domain was actually sent (and signed) by an authorized server — and that its content wasn't altered in transit.
The record lives at a specific DNS address: selector._domainkey.yourdomain.com, where selector is a label you define. A minimal DKIM record looks like this:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC...The v=DKIM1 declares the version. The k=rsa specifies the algorithm. The p= is the base64-encoded public key. The matching private key lives on your mail server and never appears in DNS. If you want a full breakdown of how to create a DKIM record from scratch, including field-by-field syntax, that guide covers the whole process.
What DKIM Signs and Why It Matters
DKIM isn't just a security checkbox. It's about identity preservation — proving, cryptographically, that you are who you say you are and that your message arrived intact.
When your mail server sends an email, it selects specific headers — typically From, Subject, Date, To, and Message-ID — along with the message body, and runs them through a hash function (usually SHA-256). It then signs that hash with your private key. The resulting signature is embedded into the email as a DKIM-Signature header that travels with the message.
When Gmail, Outlook, or any receiving server gets that email, it:
- Reads the
DKIM-Signatureheader to find which selector and domain were used. - Looks up the public key at
selector._domainkey.yourdomain.comin DNS. - Decrypts the signature using the public key.
- Recomputes the hash from the email content it received.
- Compares the two. If they match: DKIM pass. If not: DKIM fail.
Two things are proven on a pass: Authenticity (the email was signed by someone who controls your domain) and Integrity (not a single byte of the signed content was altered in transit). A valid DKIM record is what makes this verification possible — without it, receivers have no public key to check against. The formal specification for this mechanism is defined in RFC 6376, which is worth skimming if you ever need to argue with a mail server administrator about what "conformant" means.
The Forwarding Problem (and Why DKIM Survives It)
Here's a scenario that shows why a valid dkim record matters — and why SPF-only configurations fail every single day: your client's CEO sends an invoice to a contact at a large company. That contact has a forwarding alias that routes everything to their personal Gmail. SPF fails immediately — because the IP address of the forwarding server doesn't match your authorized senders list. DMARC checks SPF alignment. It fails. The invoice lands in spam or bounces outright.
A valid DKIM record ensures DKIM survives forwarding because the message content doesn't change. The original signature, attached to the headers and body that left your server, is still there. The receiving server at the end of the chain can verify it directly against your DNS. The hop in the middle is irrelevant.
This is why DKIM is not optional. If you rely solely on SPF for email authentication, you're one forwarding alias away from a failed DMARC check and a missed business email. Pair your DKIM record with a proper SPF record setup — our SPF record for email guide covers the essentials — and DMARC has two authentication signals to work with, which is the correct architecture.
TrekMail handles forwarding with SRS (Sender Rewriting Scheme) compliance, so forwarded mail doesn't break SPF on your domain's behalf. DKIM signing is enforced on all outbound mail by default — there's no opt-in toggle to forget.
The Selector Concept: Managing Multiple DKIM Keys
The DKIM selector is a label that tells the receiving server which public key to retrieve from DNS. It's the most consistently misunderstood piece of DKIM, and most setup failures trace back to getting it wrong.
Unlike SPF, where you're limited to one record per domain, DKIM allows unlimited records. Each one lives at a different subdomain defined by its selector: selector._domainkey.yourdomain.com. You can have ten selectors active simultaneously if you need them — one per sending service.
Why You Need Multiple Selectors
A single dkim record per domain is rarely enough. If you use more than one service to send email — say, Google Workspace for internal mail and Mailchimp for newsletters — you cannot share the same private key across both. That's a security disaster waiting to happen. Instead, each vendor gets their own selector:
- Google Workspace: Uses selector
google. You publish the key atgoogle._domainkey.yourdomain.com. - Mailchimp: Typically uses
k1ork2. You publish atk1._domainkey.yourdomain.com. - TrekMail: Uses a selector like
tm1. You publish attm1._domainkey.yourdomain.com— or, better, point a CNAME there and let us manage it.
This separation matters operationally. If a client's marketing platform gets breached, you can revoke the k1 selector and their corporate email on Google keeps running without a hiccup. Selectors are the blast doors between your sending services. For a full breakdown of selector syntax, naming conventions, and how to find what selector an ESP assigned you, read the DKIM selector guide.
The Classic Setup Error
The most common selector mistake: publishing the DNS record at the wrong subdomain. You mean to publish at google._domainkey.yourdomain.com but your DNS interface auto-appends the domain, resulting in google._domainkey.yourdomain.com.yourdomain.com. The record exists. The lookup returns NXDOMAIN. Your ESP says it's verified. Your emails fail. This exact scenario is documented in the Checking DNS Status guide — including how to spot it immediately with a single dig command.
Key Length and Rotation Policy
Your dkim record is only as strong as the key behind it. Security standards don't stand still. What was acceptable five years ago is a liability today, and DKIM key length is a clear example of that drift.
The Shift to 2048-bit Keys
1024-bit RSA keys were the standard for years. They're now considered weak by both Google and Yahoo's sender guidelines — and both providers have explicitly said 2048-bit is the minimum they recommend. If your DKIM key was set up on an older cPanel install, a legacy Postfix configuration, or any platform that defaulted to 1024-bit before 2019, you should assume it needs to be replaced.
A 512-bit key is even worse — it's actively crackable with moderate compute resources. If you see dkim=perm_fail with a reason like "weak key" or "policy," that's your signal. Generate a new 2048-bit key immediately and retire the old one. Google's email sender guidelines are explicit on this point.
How Often to Rotate
Rotate the keys behind your DKIM record at minimum once a year. If a private key is ever exposed — a server breach, a misconfigured secrets manager, a contractor with too much access — and you haven't rotated it, an attacker can sign email as your domain indefinitely. You won't know until your email domain reputation is in ruins.
The right mental model: treat your DKIM private key like a password. You wouldn't use the same password for five years on a production system. Don't do it with your signing key either.
The 255-Character DNS Problem (and How to Fix It)
Here's a trap with your dkim record that catches almost everyone switching to 2048-bit keys for the first time. A 2048-bit public key, base64-encoded, is roughly 400 characters long. The DNS protocol's TXT record format has a hard limit of 255 characters per string. Most DNS interfaces simply truncate anything longer — silently, with no error message — and your key is permanently broken.
The fix for a long DKIM record is to split the key into multiple quoted strings within the same TXT record. RFC 6376 explicitly permits this, and receiving servers are required to concatenate the strings before verifying.
Wrong (will be truncated or rejected):
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bq3...Right (two quoted strings, concatenated by the receiver):
( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bq3"
"...rest_of_key_here..." )The exact syntax varies by DNS provider. Some accept the parentheses notation; others require you to enter each string as a separate value in their interface. Check the DNS Setup with Popular Providers guide for screenshots and provider-specific instructions for Cloudflare, Route 53, GoDaddy, and others.
If you'd rather not deal with any of this, TrekMail's CNAME-based DKIM approach sidesteps the problem entirely. You publish one short CNAME record — well under 255 characters — and we handle the full public key on our side. When we rotate keys, your DNS record doesn't change at all.
Setup Verification Workflow
After publishing a dkim record, don't trust the "Verified" badge in your ESP's dashboard. Dashboards cache data for hours, sometimes days. The badge can show green while your actual DNS record is broken, truncated, or pointing at the wrong subdomain. The only truth is a live DNS query.
Step 1: Check That the Record Exists
Run this from your terminal (Linux/macOS). On Windows, open Command Prompt and use nslookup:
# macOS / Linux
dig txt selector._domainkey.yourdomain.com +short
# Windows
nslookup -q=txt selector._domainkey.yourdomain.comReplace selector with the actual selector your ESP assigned. Replace yourdomain.com with your actual domain.
What you want to see: output starting with v=DKIM1. What you don't want to see: NXDOMAIN. An NXDOMAIN means the record doesn't exist at that address. Either the selector name is wrong, the record was published under the wrong subdomain, or DNS hasn't propagated yet (wait 30 minutes and try again).
Step 2: Validate the Key Content
If the record exists but you're still seeing failures, inspect the raw output:
dig txt selector._domainkey.yourdomain.com +shortLook for two things:
- Truncation: If the base64 key string in the output looks short — say, under 200 characters — and you're using a 2048-bit key, your DNS provider probably truncated it. Fix the split as described above.
- Mangled characters: Some DNS interfaces insert line breaks, spaces, or backslashes inside the base64 string when you paste a long value. Any modification to the key string breaks it. Export your record and verify it character by character against what your ESP or key generator gave you.
Step 3: Send a Test and Read the Headers
Send an email to a Gmail address you control. In Gmail, open the message, click the three-dot menu, and select "Show original." You'll see the raw headers. Find the Authentication-Results header and look for the DKIM result:
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com header.s=selector header.b=AbCdEfGh;
spf=pass (...);
dmarc=pass (...)dkim=pass is what you want. Anything else — fail, neutral, perm_fail, temperror — means something is wrong, and the specific reason code tells you where to look. For a full walkthrough of the DKIM setup process from start to finish — including provider-specific screenshots — that guide has you covered. You can also reference TrekMail's First-Time Setup Checklist to make sure you haven't missed any related authentication steps.
DKIM Fail Troubleshooting: Three Real Scenarios
Your DKIM record exists, the selector is right, the DNS is propagated, and emails are still failing. This is where actual engineering starts and "it should be working" stops being useful.
For a comprehensive reference on every error code and failure type, see the full DKIM fail troubleshooting guide. The three scenarios below are the most common ones encountered in real production environments.
Scenario 1: "Body Hash Did Not Verify"
This is the most frustrating dkim record failure in email deliverability, and it's not always your fault. It means the DKIM signature is cryptographically valid — the header checks out — but the message body was modified after your server signed it. The hash computed by the receiver doesn't match the hash in the signature.
Common culprits:
- "External Sender" warning banners: Your corporate email gateway stamps an "EXTERNAL EMAIL — CAUTION" warning onto inbound messages. If this modification happens before the DKIM check on the receiving side, the body has changed. DKIM fails. This is particularly common with Microsoft 365 tenants that have configured mail flow rules.
- Legal disclaimer footers: Your outbound gateway appends a 15-line legal disclaimer to every email. If your user's mailbox server signs the message before it hits the gateway, the footer breaks the hash. The fix: move DKIM signing to the gateway itself, so it signs the final version of the message.
- URL rewriting by security tools: Mimecast, Proofpoint, and Defender for Office 365 all rewrite links for phishing protection — turning
google.comintoprotect.mimecast.com/s/.... Changing any part of the body invalidates the body hash. This one is particularly nasty because it's often invisible to the sender.
The fix in all cases is the same: DKIM signing must happen at the very last hop before the message exits your infrastructure so that your DKIM record can be validated against the exact content the receiver gets. Sign it as late as possible. If you're using TrekMail, we sign outbound mail immediately before it leaves our gateway, ensuring the hash matches exactly what the receiver sees. You can debug these scenarios further using the Sending Errors Troubleshooting docs.
Scenario 2: The Alignment Trap
This one is subtle and it catches people who think they've done everything right. You look at the raw headers:
dkim=pass (signature was valid)DKIM passes. But DMARC fails, and your email lands in spam. The reason is DKIM alignment.
DMARC doesn't just check that a DKIM signature exists and is valid. It checks that the domain in the DKIM signature's d= tag matches the domain in the Header From address. They must be the same (or share the same organizational domain for relaxed alignment).
Here's a real example:
Header From: ceo@yourcompany.com
DKIM d= tag: sendgrid.netSendGrid signed that email. The signature is valid — for sendgrid.net. But your recipient's DMARC record checks alignment against yourcompany.com. sendgrid.net != yourcompany.com. DMARC fails.
The fix is what ESPs call "white-labeling" or "domain authentication" or "custom domain signing" — the name varies, the concept is identical. You configure your ESP to use a dedicated DKIM key scoped to your domain, so the d= tag reads yourcompany.com instead of sendgrid.net. Every major ESP supports this. If yours doesn't, that's a problem worth taking seriously. The full mechanics of DMARC alignment are worth understanding before you run into a DMARC failure you can't explain.
Scenario 3: Ancient or Weak Keys
A stale dkim record causes permanent failures. If you're seeing dkim=perm_fail with a reason like "policy" or "weak key," you're almost certainly looking at a 512-bit or 768-bit key left over from a legacy on-premise setup. These key lengths are no longer accepted by major receivers. They're computationally breakable, and mail servers treat them as permanently failed — not temporarily failed, not retryable.
The action is simple: delete the old key from DNS, generate a new 2048-bit key pair, and republish. If you need a safe, offline way to do this, see the generator guidance below and the DKIM record generator guide.
Key Generators: Safe vs. Dangerous
You need a DKIM key pair to populate your dkim record. You search for a DKIM record generator. The first result is a website that generates a key and shows it to you on the screen. Stop right there.
If a website generates your private key and displays it in a browser, that key is compromised by definition. You have no way to verify whether they logged it, stored it, or will sell it. If they did log it, someone can sign email as your domain forever, and you'll never know why your reputation is collapsing.
The Correct Hierarchy
| Method | Security Level | Who It's For | Notes |
|---|---|---|---|
| Provider-managed (TrekMail, Google, Microsoft) | Best | Everyone | Private key never leaves their HSM or secure infrastructure. You only see the public key for DNS. |
| Local generation with OpenSSL | Good | Self-hosted Postfix / Exim operators | Key generated on your own machine, never transmitted. Manual process. |
| Web-based DKIM generator | Acceptable for testing only | Local dev environments, test domains | Never use in production. Private key is exposed in a browser. |
If you're running your own mail server and need to generate keys locally, use OpenSSL directly on the server:
# Generate the private key
openssl genrsa -out dkim-private.key 2048
# Extract the public key
openssl rsa -in dkim-private.key -pubout -out dkim-public.key
# View the public key for DNS (strip headers, format as single line)
cat dkim-public.keyThe private key file never leaves the server. The public key is what you paste into your DKIM record in DNS. If anyone ever asks you to email them your private key for "verification," that's a social engineering attack.
For everyone else — founders, operators, agencies — let your mail provider handle key generation. That's what the provider-managed model is for. If yours doesn't do it, ask why.
DKIM Management: Manual vs. Automated
Key rotation is where the operational cost of maintaining each DKIM record becomes visible. Every DKIM record in your DNS requires periodic attention. Here's what annual rotation actually looks like:
The Manual Rotation Process (Every Year, Per Domain)
- Generate a new RSA key pair (new selector, e.g.,
s2026). - Publish the new public key to DNS at
s2026._domainkey.yourdomain.com. - Wait 48 hours for DNS propagation.
- Reconfigure your mail server to sign outbound mail with the new private key.
- Leave both selectors active for 7 days (some messages signed with the old key may still be in transit or queued for delivery).
- Delete the old selector from DNS.
- Securely destroy the old private key.
That's 7 steps per domain per year. If you manage 50 domains, that's 350 operations with zero margin for error. Miss step 5 and you break authentication for in-flight messages. Miss step 6 and you leave an old key active indefinitely.
| Approach | Annual Work Per Domain | Risk of Human Error | Works at 100+ Domains? | Cost |
|---|---|---|---|---|
| Manual (self-hosted Postfix) | 7 steps + testing | High | No | Your time |
| ESP white-labeling (per-domain) | Initial setup + annual rotation | Medium | Depends on ESP tooling | Varies by ESP |
| CNAME-based (TrekMail) | One-time CNAME setup | Near-zero | Yes — scales to 1,000+ | Included in plan |
For a single domain, manual is manageable. For 50 domains, you need automation or you'll eventually miss a rotation and spend a Friday debugging why emails from a client's domain suddenly started failing authentication.
How TrekMail Handles DKIM
TrekMail was built for operators who manage multiple domains — whether that's a founder with five side projects or an MSP with 800 client domains. The DKIM implementation reflects that.
CNAME-Based Rotation
When you add a domain to TrekMail, the DNS wizard gives you a single CNAME record to publish:
tm1._domainkey.yourdomain.com CNAME tm1._domainkey.trekmail.netThat's it. You publish it once. We manage the actual public key on our end. When we rotate keys — which we do automatically on a regular schedule — your DNS record stays exactly the same. The CNAME resolves to whatever current key we're using. You don't get paged. You don't have to schedule downtime. You don't have to remember which of your 80 domains is due for rotation this quarter.
For an agency on the Pro plan at $8/month managing 100 domains, that's 700 fewer manual DNS operations per year compared to self-hosted rotation. That math adds up fast.
One-Click DNS Wizard
For operators who are configuring a domain for the first time, TrekMail's DNS wizard generates all required records — MX, SPF, DKIM, and DMARC — in one place and validates them after setup. The wizard checks your actual DNS, not a cached dashboard state, so the "verified" status is real. This is documented in the Required DNS Records guide.
No Per-User Pricing
TrekMail's flat-rate pricing model means DKIM signing doesn't cost extra as you add mailboxes. Starter at $3.50/month covers 50 domains and 100 users per domain. Pro at $8/month covers 100 domains and 300 users per domain. Agency scales to 1,000+ domains. Storage is pooled, not per-user, so you're not penalized for creating a lot of accounts.
The DNS setup — including DKIM — is the same across all plans. You're not paying a premium to get proper authentication. It's the default.
Old Way vs. New Way: Managing Your DKIM Record
| Old Way (Self-Managed) | New Way (TrekMail) | |
|---|---|---|
| Initial DKIM setup | Generate keys, configure Postfix, publish DNS, test manually | Add domain, publish one CNAME, verify in dashboard |
| Annual key rotation | 7-step manual process per domain | Automatic — no action required |
| Adding a new domain | Repeat full setup | Repeat one CNAME |
| Debugging a DKIM failure | SSH into server, check logs, dig DNS manually | DNS status dashboard + docs |
| Cost at 100 domains | Server costs + your time | $8/month flat |
Conclusion
A properly configured DKIM record is not optional infrastructure. It's the minimum viable authentication setup for any domain sending email in 2025 and beyond. Without it, you're failing DMARC, losing reputation on every forwarded message, and giving inbox providers a reason to route your mail to spam regardless of how good your content is.
Get your DKIM record basics right first: 2048-bit key, correct selector, properly split DNS record if you're self-hosting, DKIM alignment verified against your Header From domain. Once your DKIM record basics are solid, build up from there — automated rotation, proper DMARC policy, monitoring via Google Postmaster Tools.
If you want to understand the complete authentication picture — where DKIM fits alongside SPF and DMARC, and the order in which to configure them — the SPF vs DKIM vs DMARC breakdown covers the relationships clearly. And if you're actively troubleshooting a delivery problem, the stop emails going to spam guide gives you a prioritized fix order that won't have you chasing the wrong thing first.
If you're managing more than a handful of domains, the manual approach to DKIM is a liability. One missed rotation, one truncated key, one misaligned selector is all it takes to break authentication across an entire client's domain. TrekMail's CNAME-based DKIM management eliminates that class of failure. See the plans or start free — 10 domains, no credit card required.
