Using DKIM to authenticate emails you sendUpdated 6 months ago
What is DKIM?
- DKIM is a framework for digitally signing your outbound emails in a way that the receiver (normally the receiver’s email provider) can verify that they were authorized by your domain.
- A DKIM signature is added to the header of each email which can be compared to a different (but cryptographically related) signature stored within your DNS records. If the two signatures align (they will not match), the system receiving the email can be reasonably sure that the email was authorized by the sending domain.
What does DKIM NOT DO?
- DKIM validates your emails and proves that they came from a system you have approved... it does not validate your company in any way
- DKIM can’t prove to the receiver that you are not a spammer … lots of spammers use DKIM.
Learn more about DKIM
DKIM moving pieces
DKIM signature attached to each outbound email
- Your email service provider will handle this part (Google, Microsoft, Salesforce, Mailchimp, etc.)
- The DKIM signature is different in every email you send
- The DKIM signature is included in the HEADER of each email … so you can actually view it on an email you receive by just looking at the headers (link to how to view email headers)
DKIM DNS record
- These are one or more DNS records you will need to add to your domain via your registrar or DNS host
- Your email service provider should hand you a required DNS record (or two) in the form of either a TXT record or CNAME record.
- If your Email Service Provider (ESP) tells you to set up a DNS TXT record, the ‘hostname’ part of the DNS records is known as the DKIM ‘’selector’. You can end up with lots of DKIM selectors if you have multiple ESPs.
- If your ESP tells you to set up a DNS CNAME record, that means that they with handle the TXT records within their own DNS system… and you just need to provide pointers to their servers.
Setting up DKIM - the general process
- For each of your ESPs, look for their DKIM instructions.
- If they don’t provide instructions, then it’s possible that the emails they send will be coming from their domain and not yours. (Or, possibly, they are not a very good ESP!).
- Go to where you host your DNS records. Many times, this is your registrar such as GoDaddy unless you are using a third-party DNS host such as AWS, Azure, or DNSMadeEasy.
- Create the DNS record(s) — either TXT or CNAME — as directed and then return to your ESP. ESPs usually have a validation checker that will look for your new DNS entries and report back either success or error.
How to test your DKIM
- After you’ve for your DKIM settings configured with your email service provider (to include the outbound DKIM key) and your DNS provider (to include the reference DKIM key for comparison), you should run some tests to make sure DKIM validation is working the way your want.
- https://mxtoolbox.com/dkim.aspx
Service-specific articles on DKIM
You will need to work with each service that sends email for you. This includes your primary (person-to-person) email provider plus additional proividers you might use for marketing, sales, etc.
- Google Workspace / gSuite - https://support.google.com/a/answer/174124?hl=en
- Office 365 - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
- Mailchimp - https://mailchimp.com/help/set-up-custom-domain-authentication-dkim-and-spf/
- Emma (by Marigold) - https://support.e2ma.net/s/article/DomainKeys-Identified-Mail-DKIM
- Klaviyo - https://help.klaviyo.com/hc/en-us/articles/115000357752
- Constant Contact - https://knowledgebase.constantcontact.com/email-digital-marketing/articles/KnowledgeBase/5932-self-publishing-for-authentication?lang=en_US
- Hubspot - https://knowledge.hubspot.com/domains-and-urls/connect-your-email-sending-domain
- SendGrid - https://docs.sendgrid.com/ui/account-and-settings/how-to-set-up-domain-authentication
- More companies listed here - https://support.valimail.com/support/solutions/folders/48000688898