DNSBuddy

Knowledge base

DKIM record

Learn what a DKIM record is, how it uses cryptographic signatures to prove email authenticity, how to find and verify DKIM selectors, common setup for Google Workspace and Microsoft 365, and why DKIM is essential for email deliverability.

What Is a DKIM Record?

TL;DR
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server looks up a public key in your DNS to verify the signature — proving the email genuinely came from your domain and wasn't tampered with in transit.
Unlike SPF (which checks the sending IP), DKIM signatures travel with the message and survive email forwarding.

Look up TXT records
Enter a domain name to lookup TXT records

Enter the domain name you want to lookup

View full DNS lookup tool with advanced options →

How DKIM Works

  1. Your mail server signs each outgoing message using a private key you control.
  2. The signature is added to the email as a DKIM-Signature header.
  3. The receiving server reads the d= (domain) and s= (selector) values from the signature.
  4. It queries DNS for the public key at {selector}._domainkey.{domain} as a TXT record.
  5. It uses the public key to verify the signature against the message content.
  6. If the signature is valid, DKIM passes — the email is authenticated.

The private key lives on your mail server (or your ESP's servers). The public key is published in DNS. They are mathematically paired — you can verify with the public key but only sign with the private key.

Where DKIM Records Live

DKIM records are published at a selector-based subdomain:

{selector}._domainkey.{domain}

For example, if your selector is google and your domain is example.com:

google._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

Selectors allow a domain to have multiple DKIM keys simultaneously — useful when you use several email providers or want to rotate keys without downtime.

DKIM Record Format

{selector}._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=<public-key>"

Key Tags

TagRequiredDescription
v=DKIM1YesVersion — always DKIM1
k=rsaNo (default)Key type — rsa (most common) or ed25519
p=<key>YesBase64-encoded public key. Empty value (p=) revokes the key
s=emailNoService type — * or email
t=sNoFlags — s means subdomains are not covered
h=sha256NoAcceptable hash algorithms
n=<notes>NoHuman-readable notes (ignored by verifiers)

Common DKIM Records by Provider

Google Workspace (selector: google)

google._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."

Google generates the key pair for you — you copy the public key from the Admin Console and add it to DNS.

Microsoft 365 (selectors: selector1, selector2)

selector1._domainkey.example.com.  CNAME  selector1-example-com._domainkey.example.onmicrosoft.com.
selector2._domainkey.example.com.  CNAME  selector2-example-com._domainkey.example.onmicrosoft.com.

Microsoft 365 uses CNAME records that point back to Microsoft-managed keys, allowing automatic key rotation.

Mailchimp (selector: k1 or k2)

k1._domainkey.example.com.  CNAME  dkim.mcsv.net.

Sendgrid (selector: s1, s2, or custom)

s1._domainkey.example.com.  CNAME  s1.domainkey.u12345.wl012.sendgrid.net.

How to Find Your DKIM Selector

The selector is in the DKIM-Signature header of any email your domain sends. To find it:

  1. Send yourself a test email from your domain
  2. View the raw message headers (Gmail: "Show original", Outlook: "View message source")
  3. Look for the DKIM-Signature header
  4. Find the s= tag — that's your selector

Example header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=google;
  h=from:to:subject:date;
  bh=base64hash; b=base64signature

Here s=google means the selector is google and the record lives at google._domainkey.example.com.

How to Look Up a DKIM Record

dig google._domainkey.example.com TXT
nslookup -type=TXT google._domainkey.example.com

Replace google with your actual selector and example.com with your domain.

RSA vs Ed25519

FeatureRSA (2048-bit)Ed25519
Key size~300 chars (base64)~68 chars (base64)
CompatibilityUniversalNot supported by all receivers
SecurityStrongStronger per bit
DNS record sizeOften requires chunkingFits in one string
RecommendedYes (for compatibility)Yes (as supplementary key)

Most providers generate RSA keys. Ed25519 is smaller and more secure but has limited receiver support. Running both is possible using different selectors.

DKIM and Forwarding

DKIM survives email forwarding because the signature travels with the message headers. SPF breaks on forwarding (the forwarding server's IP is not in the original SPF record). This makes DKIM the more reliable authentication method for DMARC alignment when forwarding is involved.

SPF vs DKIM vs DMARC

FeatureSPFDKIMDMARC
What it checksSending server IPCryptographic message signatureAlignment of SPF/DKIM with From header
Survives forwardingNoYesDepends on DKIM passing
Published atexample.com TXTselector._domainkey.example.com TXT_dmarc.example.com TXT
Requires private keyNoYesNo
Provides reportsNoNoYes

→ See also: SPF Record, DMARC Record, TXT Record

Frequently Asked Questions

How many DKIM records can I have?
As many as you need — one per selector. Each email service you use (Google, Mailchimp, Sendgrid, etc.) gets its own selector and its own DKIM record. They don't conflict.
My DKIM is set up but emails still fail — why?
DKIM failures are often caused by: the DNS record not yet propagated (wait up to 48 hours), line breaks in the public key (some DNS editors break long keys incorrectly), or a CNAME chain that isn't resolving. Check the raw DKIM-Signature header on a received email to verify it's signing.
What does it mean to rotate DKIM keys?
Key rotation means replacing your old DKIM public/private key pair with a new one. Best practice is to add the new key under a new selector, start signing with it, then remove the old record after a few weeks. This avoids deliverability gaps during rotation.
Can I use DKIM without SPF?
Yes. DKIM works independently of SPF. For DMARC to pass, at least one of SPF or DKIM must pass with alignment. Using both is recommended.
Why is my DKIM public key so long?
RSA-2048 public keys are large when base64-encoded — typically 300+ characters. Some DNS providers split this into two quoted strings. The strings are concatenated by resolvers. If your provider cuts the key, verify it's split correctly with no characters missing.
Does DKIM prove the From: address is legitimate?
DKIM proves the message was signed by a server controlling the d= domain's key. But DMARC alignment is what ties the DKIM d= domain to the visible From: header. DKIM alone without DMARC still allows display-name spoofing.

References

RFC 6376

DomainKeys Identified Mail (DKIM) Signatures

RFC 8463

A New Cryptographic Signature Method for DomainKeys Identified Mail (Ed25519)

Related: SPF Record · DMARC Record · MX Record · TXT Record