DKIM Setup: Complete Guide + Selector Checker

Easy DKIM setup guide with plain-English steps, provider notes, what a selector is, and how to verify DKIM passing in Gmail. Includes a mini selector checker.

What Is DKIM (DomainKeys Identified Mail)?

DKIM adds a digital signature to every outgoing message.
Receivers use a public key (published in DNS) to confirm that:

• the email was sent by a server authorized for your domain, and
• the content wasn’t altered in transit.

Result: stronger trust, fewer spoofed emails, and higher inbox placement.

Key Terms (Quick Definitions)

• DNS (Domain Name System): the internet’s address book — where you publish DKIM records.
• TXT Record: a DNS entry used to store DKIM public keys and authentication data.
• Selector: a label (e.g., default or s1) pointing to a specific DKIM key. The full hostname looks like:
  selector._domainkey.example.com
• Public Key: lives in DNS, readable by receiving mail servers.
• Private Key: stays on your mail server, used to sign messages.

Quick Start (Pattern)

DKIM lives under a selector — not at the root.
Your provider generates both the selector and value.

DNS Fields

Provider Quick References

Always use your provider’s dashboard to generate keys and copy the exact DNS record.

• Google Workspace (Gmail):
  Admin → Apps → Gmail → Authenticate email → Generate record → add TXT at google._domainkey.
• Microsoft 365 / Exchange Online:
  Defender or Exchange Admin → DKIM → enable per domain → adds two CNAME records that point to Microsoft-hosted keys.
• Zoho Mail:
  Mail Admin → DKIM → add selector (e.g., zmail) → paste TXT value.
• Proton Mail:
  Settings → Email authentication → DKIM → add selector + TXT.
• Fastmail:
  Settings → Sending domains → DKIM → copy TXT + paste to DNS.
• Amazon SES:
  SES Console → Domains → Verify → DKIM → add given CNAME/TXT records (region-specific).
• Mailgun / SendGrid / Postmark:
  Domain authentication → DKIM → copy the TXT/CNAME records provided.

Some providers (Microsoft 365, Amazon SES) use CNAME delegation so they host the key; others (Google, Zoho, Fastmail) publish TXT directly.

How Selectors Work

• Each DKIM selector corresponds to one key.
• You can have multiple selectors (e.g., s1, s2) for rotation or different systems.
• Your outgoing server chooses a selector when signing.
• Receivers look up that exact selector in DNS to verify the signature.

Best practice:
Use meaningful selectors (e.g., google, sendgrid, store) and rotate annually or after system migrations.

Verify DKIM Is Passing

Gmail Method

1. Send a test email to any Gmail inbox.
2. Open → ⋮ → Show original.
3. Look for dkim=pass under Authentication-Results.
   You’ll also see which selector passed (e.g., header.s=google).

Command-Line Method

If configured correctly, it should return a long string beginning with
v=DKIM1; k=rsa; p=...

Mini “Selector Checker” (Optional HTML Block)

Paste this block in a Custom HTML widget to perform a quick lookup via public DNS resolvers (for educational use only).

Some gateways block browser DNS requests. If the fetch fails, run the suggested dig command locally.

Common Mistakes and Fixes

FAQs

Q1) Do I need DKIM if I already use SPF?
Yes. SPF can fail when mail is forwarded, while DKIM remains valid because the signature travels with the message.

Q2) What should my selector be?
Any short label works (e.g., google, store, s1). Use one per system and rotate keys periodically.

Q3) My provider gave CNAMEs, not TXT. Is that okay?
Yes. Many providers host their DKIM keys behind CNAMEs to simplify updates.

Q4) How do I confirm it’s working?
In Gmail “Show original” → look for dkim=pass.
You can also verify via dig that your selector resolves to a v=DKIM1 public key.

Final Checklist

• One DKIM TXT (or CNAME) per selector
• Hostname = selector._domainkey
• Value starts with v=DKIM1; k=rsa; p=
• TTL 5–30 min for testing
• Gmail shows dkim=pass in Authentication-Results