How to Set Up DKIM for Your Domain

If your domain security scan shows DKIM is not configured, outbound emails from your domain have no cryptographic signature. This makes them easier to spoof and more likely to be flagged as spam. Here's how to fix it.

What this finding means

DKIM (DomainKeys Identified Mail) adds a digital signature to every outbound email. The signature is generated using a private key held by your mail server, and verified by receiving servers using a public key you publish in DNS. If the signature doesn't match — or doesn't exist — the receiving server has no cryptographic proof the email came from you.

Without DKIM, spoofed emails are much harder to detect, and your DMARC policy cannot reach p=reject safely (DKIM authentication survives email forwarding in a way SPF does not).

Why it matters

• Emails without DKIM are more likely to land in spam
• DKIM is required alongside SPF before you can safely move to p=reject DMARC
• Since 2024, Google and Yahoo require DKIM for bulk senders
• DKIM is one of the key signals used by spam filters to evaluate sender reputation

How to set up DKIM — by mail platform

Microsoft 365

1. Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM
2. Select your custom domain from the list
3. Microsoft will show you two CNAME records to publish — copy both exactly
4. Log in to your DNS provider and add both CNAME records
5. Return to the DKIM settings page and click Enable to activate signing
6. Allow up to 48 hours for DNS propagation

Google Workspace

1. Go to admin.google.com → Apps → Google Workspace → Gmail → Authenticate email
2. Select your domain and click Generate new record — choose 2048-bit key if your DNS provider supports it
3. Copy the TXT record name and value shown
4. Add the TXT record to your DNS provider at the selector shown (e.g. google._domainkey.yourdomain.com)
5. Return to Google Admin and click Start Authentication

Other platforms (Mailchimp, SendGrid, Resend, etc.)

Most platforms have a DKIM setup section in their domain authentication or sending domains settings. The process is:

1. The platform generates a public/private key pair and shows you the DNS records to add
2. Add those records (TXT or CNAME) to your DNS provider
3. Return to the platform and verify / activate

What the DNS record looks like

DKIM records are TXT records published at a selector subdomain:

selector._domainkey.yourdomain.com

The value is a long public key string generated by your mail platform. You cannot write this manually — it must be generated by your email provider.

Verify it worked

Scan your domain at mydomainrisk.com — the DKIM finding will show as resolved once your record is detected. DNS propagation can take up to 48 hours.