DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email. Receiving mail servers verify this signature against a public key you publish in DNS. This proves the email was not altered and truly came from your domain. This guide shows you how to set it up.

Step 1 — Generate the key pair

Most email providers generate DKIM keys for you automatically. If you manage your own mail server, use OpenSSL:

openssl genrsa -out dkim.private 2048
openssl rsa -in dkim.private -pubout -outform PEM -out dkim.public

Keep the private key secure on your mail server. You will only publish the public key in DNS.

Step 2 — Format the public key

Remove the PEM header, footer, and line breaks so the key becomes one continuous string. It should look like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAKW3OkwPQIDAQAB

Step 3 — Publish the DNS TXT record

Create a TXT record using your chosen selector (commonly default, google, or mail):

Type: TXT
Name/Host: selector._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY
TTL: 300 seconds during testing

Step 4 — Configure your mail server

Tell your mail server to sign outgoing emails using the private key and selector. For Postfix, add to main.cf:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Step 5 — Verify with Postalfix

Use our DKIM checker to look up your published record by domain and selector. If the record is found and formatted correctly, you are ready to go.

Verify DKIM record now →

Common selectors by provider

Google Workspace: google
Microsoft 365: selector1 or selector2
Mailchimp: k1
SendGrid: s1

DKIM DNS Setup Guide