TrekMail TrekMail
Deliverability & DNS

How to Set Up DKIM: Step-by-Step DNS Guide (2026)

By Alexey Bulygin
How to Set Up DKIM: Step-by-Step DNS Guide (2026)

If you're sending email without DKIM in 2026, your messages are getting rejected. Google and Yahoo now require cryptographic authentication on every inbound message. No signature, no inbox. Learning how to set up DKIM isn't a nice-to-have — it's the difference between your emails arriving and your emails bouncing with a 550 5.7.26 error.

Understanding how to set up DKIM starts with the basics. DKIM (DomainKeys Identified Mail) attaches a digital signature to each outgoing email. The receiving server checks that signature against a public key you publish in DNS. If it matches, the message is verified as legitimate and untampered. If it doesn't, the message gets flagged or dropped.

This guide walks you through the full DKIM setup process — from key generation to DNS publishing to verification — for any provider. If you haven't set up SPF yet, do that first: see our SPF record for email guide.

What DKIM Actually Does (30-Second Version)

DKIM uses asymmetric cryptography as defined in RFC 6376. Your email server holds a private key and signs every outgoing message. You publish the matching public key in a DNS TXT record. When a receiving server gets your email, it pulls the public key from DNS and validates the signature.

Two things get proven:

  • Identity — The email actually came from your domain.
  • Integrity — Nobody altered the message in transit.

Without DKIM, your domain reputation takes a hit every time you send. Mailbox providers treat unsigned mail as suspicious, and that suspicion compounds over time.

How to Set Up DKIM: The Full Process

Setting up DKIM requires four steps: generate your keys, publish the DNS record, verify propagation, and confirm alignment with DMARC. Each step takes a few minutes, but skipping any one of them will leave your authentication broken.

Step 1: Generate Your DKIM Key Pair

The first step in how to set up DKIM is generating your key pair. Your email provider generates the key pair. Don't use random third-party DKIM generator websites — if they create a private key for you, they can forge emails from your domain.

Every provider gives you two things: a selector (a label like s1, google, or tm1) and a public key value. The selector lets you run multiple DKIM keys on the same domain, so your marketing platform and your transactional email service each get their own.

TrekMail Users

  • Starter, Pro, and Agency plans ($3.50–$23.25/mo): DKIM is managed automatically. TrekMail's SPF/DKIM/DMARC wizard generates keys and handles rotation. You just add a CNAME record pointing to us.
  • Nano plan ($0, no card required): If you're using BYO SMTP (Amazon SES, SendGrid, Mailgun), generate keys inside that provider's dashboard.

Other Providers

  • Google Workspace: Admin Console → Apps → Gmail → Authenticate Email → Generate New Record. Google's official DKIM setup docs cover edge cases.
  • Microsoft 365: Defender → Policies & rules → Threat policies → Email authentication settings → DKIM.
  • Amazon SES: Verified Identities → Click Domain → DKIM → Generate.
  • SendGrid: Settings → Sender Authentication → Authenticate Your Domain.

The output will look something like this:

Selector: tm1
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

Copy both. You'll need them for the next step.

Step 2: Publish the DKIM DNS Record

The next step in how to set up DKIM is publishing the DNS record. Log in to your DNS provider (Cloudflare, Namecheap, GoDaddy, Route 53 — wherever your domain's nameservers point) and create a new record.

Here's the configuration:

Type:  TXT  (or CNAME if your provider gave you a CNAME target)
Host:  selector._domainkey
Value: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE
TTL:   3600

Critical detail: If your selector is tm1, the Host field is tm1._domainkey — not tm1._domainkey.example.com. Most DNS dashboards append the domain automatically. If yours doesn't, add the full hostname.

The 2048-Bit Key Length Problem

You should be using 2048-bit keys. They're the current standard and some providers won't accept 1024-bit anymore. But 2048-bit keys produce strings that exceed the 255-character limit on DNS TXT record chunks.

If your DNS provider throws an "Invalid Length" error, split the value into two quoted strings:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg
KCAQEAx7...first-half-of-key..."
"second-half-of-key...QAB"

The DNS server concatenates them automatically. Cloudflare and most modern providers handle splitting for you. Older cPanel interfaces don't — you'll need to do it manually.

Step 3: Verify the DKIM Record

After you set up DKIM DNS records, changes don't apply instantly. Wait 5–15 minutes, then verify the record is publicly visible.

On Mac or Linux:

dig txt tm1._domainkey.yourdomain.com +short

On Windows:

nslookup -q=txt tm1._domainkey.yourdomain.com

What you want to see:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQE..."

Common failures:

  • NXDOMAIN: The record doesn't exist. Either it hasn't propagated yet, or you've got a "double domain" typo — something like tm1._domainkey.example.com.example.com. Check the Host field in your DNS dashboard.
  • Empty response: The record exists but is malformed. Verify you copied the full key value without trailing spaces or line breaks.

Step 4: Check DKIM Alignment with DMARC

Knowing how to set up DKIM properly means checking alignment. This is where most setups silently fail. A DKIM signature can be mathematically valid but still cause DMARC to reject your email.

DMARC requires alignment: the domain in the DKIM signature's d= tag must match the domain in your From: header. Here's what a misaligned setup looks like:

From: you@yourcompany.com
DKIM signature: d=sendgrid.net

Result: DKIM passes, DMARC fails (domains don't match)

This happens when you use a third-party ESP without configuring custom DKIM (sometimes called "domain authentication" or "whitelabeling"). The ESP signs with their domain instead of yours.

Fix it by enabling custom DKIM signing in every service that sends email on your behalf. If you're using TrekMail's managed SMTP, alignment is handled automatically — we sign with your domain from day one.

For a broader view of how authentication protocols interact, read our guide on email sender reputation.

Common DKIM Setup Mistakes

Now that you know how to set up DKIM end to end, here are the pitfalls that catch people most often:

  1. Forgetting a sending service. If you send from Google Workspace, a CRM, and a marketing platform, each one needs its own DKIM record with a unique selector. A missing signature from any service tanks your DMARC pass rate.
  2. Using 1024-bit keys. Some older tutorials still default to 1024-bit. Use 2048-bit. It's more secure and increasingly required.
  3. Not rotating keys. DKIM keys should be rotated at least annually. If a private key is ever compromised, anyone can forge your email. TrekMail rotates keys automatically on managed plans.
  4. Ignoring the selector._domainkey format. The underscore and _domainkey suffix aren't optional. Get the hostname wrong and the record won't be found.

How TrekMail Makes DKIM Setup Automatic

If you're learning how to set up DKIM for one domain, the manual process takes about 20 minutes. If you're managing 10 or 50, it becomes a real operational burden — one expired key or broken selector can silently kill deliverability for days.

TrekMail's approach:

  • Nano plan ($0): Full SPF/DKIM/DMARC wizard walks you through setup. No credit card required.
  • Starter ($3.50/mo) and Pro ($10/mo): Managed DKIM with automatic key generation, rotation, and signing. You add one CNAME record and you're done. All plans include a 14-day free trial (card required).
  • Agency ($23.25/mo): Apply the same managed authentication across all your client domains. TLS and DKIM signing enforced at the gateway level.

No more manual DNS records. No more debugging selectors at 2 AM. Try TrekMail free and get DKIM working in under five minutes.

Wrapping Up

Knowing how to set up DKIM is fundamental to email deliverability in 2026. Without it, your messages bounce. With it, you prove your identity and protect your messages from tampering.

The steps for how to set up DKIM are straightforward: generate keys at your provider, publish the TXT record in DNS, verify propagation, and confirm DMARC alignment. Do it once for each sending service, rotate keys annually, and monitor your DKIM pass rate in your DMARC reports.

If you want authentication handled for you, TrekMail's managed plans take care of DKIM from key generation through rotation. For the rest of your email security stack, check out our guides on SPF record setup and secure email for business.

Share this article

Post Share Share

Related Articles

We use cookies for essential functionality. No ads, no ad tracking.

or
Continue with Google Continue with Facebook Continue with X Continue with Microsoft
or
Continue with Google Continue with Facebook Continue with X Continue with Microsoft

Reset email sent

If an account exists for this email, we've sent password reset instructions.

By continuing, you agree to TrekMail's Terms and Privacy Policy.