How to Set Up DKIM: Selectors, Keys & Records (2026) | DMARCguard Skip to main content<br>15 min read Share
How to Set Up DKIM: From Key Generation to a Passing DMARC Report<br>To set up DKIM, you generate a public/private key pair, publish the public key as a DNS record at selector._domainkey.yourdomain.com, and enable signing at your mail platform. The private key signs each outgoing message; receivers fetch the public key from DNS to verify it. That is the whole loop.<br>This guide is the single-page version of how to set up DKIM end to end — the part most guides scatter across a dozen URLs or lock to one vendor. It is for IT admins and founder-operators standing up DKIM, often under the Google and Yahoo bulk-sender rules in force since February 2024. You will get the 60-second mechanics, a five-step setup, a clear key-length decision, vendor-neutral rotation, verification, and the reason a published DKIM record can still fail DMARC.<br>Key finding 22.7% of 5.5 million domains publish DKIM — the lowest adoption of any core email-authentication protocol. Setting it up correctly is still a competitive advantage.<br>Source: DMARCguard scan of 5,499,028 Tranco domains, 2026-02-27 How DKIM Works: Signing and Verification<br>DKIM (RFC 6376) lets a sending server attach a cryptographic signature to each message; the receiver fetches the matching public key from DNS and verifies that signature, proving the message was not altered in transit and came from a domain that authorized the signing.<br>The mechanics are short. Your private key signs a hash of the message body (bh=) and a set of chosen headers (h=), and writes the result into a DKIM-Signature header (b=). The d= tag names the signing domain and the s= tag names the selector, which together tell the receiver exactly where to look: ._domainkey. (RFC 6376 §6). The receiver pulls the public key from that DNS host, recomputes the hashes, and confirms the signature. The point of all this is two guarantees — integrity (the signed content was not changed) and origin (a key-holder for d= signed it).<br>That is enough to set DKIM up. If you want the full conceptual model — how the hashing, canonicalization, and key model fit together — read what DKIM is and why it works, which is our canonical reference for the protocol.<br>How to Set Up DKIM in 5 Steps<br>DKIM setup is the same five steps everywhere: generate a key pair, choose a selector, publish the public key in DNS, turn signing on, and verify. Only the console you click through changes between providers.<br>How to set up DKIM<br>Generate a 2048-bit RSA key pair. Use your mail platform’s console, your ESP’s domain-authentication screen, or openssl for a self-hosted server. The private key stays on the signing server; the public key goes into DNS.
Choose your selector. Accept the provider default (google, selector1, s1) or set your own short label. The selector is what lets one domain run several DKIM keys at once.
Publish the public key in DNS at selector._domainkey.yourdomain.com — a TXT record if you hold the key, or a CNAME if your provider hosts and rotates it (Microsoft 365, Amazon SES Easy DKIM, SendGrid, Mailchimp).
Enable signing at your platform. Flip the toggle: enable DKIM in Microsoft Defender, click Start authentication in Google Workspace, or authenticate the domain in your ESP.
Verify. Send a test message, read Authentication-Results for dkim=pass, and confirm the d= domain aligns with your From: domain.
For a self-hosted MTA, steps 1 and 3 are two openssl commands — generate the key, then export the public half as the single Base64 line DNS wants:<br>Generate a DKIM key pair with OpenSSL bash
# 1. Generate a 2048-bit RSA private key — keep this secret, never publish it<br>openssl genrsa -out dkim-private.pem 2048
# 2. Derive the public key and strip it to the single Base64 line DNS needs<br>openssl rsa -in dkim-private.pem -pubout -outform DER 2>/dev/null \<br>| openssl base64 -A
If you would rather not touch the command line, generate your key pair and record in the browser — free, no signup — and paste the output straight into DNS.<br>DKIM Selectors: How to Find Yours<br>A DKIM selector is the label in selector._domainkey. that points a receiver to the right public key, letting one domain run several keys — one per sender — at the same time. To find yours, read the s= tag in the DKIM-Signature header of a message you have already sent.<br>Two operational facts trip people up. First, you will often see two selectors (selector1/selector2, s1/s2) — that is the rotation pair, and both records must stay published. Second, every sending service gets its own selector: your Microsoft 365 mail, your Amazon SES app mail, and your Mailchimp campaigns each sign under a different selector, so each needs its own DKIM record. The defaults below are current as of 2026-06-26.<br>ProviderDefault selector(s)Record typeWho rotatesGoogle Workspacegoogle (custom prefix ok)TXTAdmin (manual)Microsoft 365selector1, selector2CNAMEMicrosoft (96-hour switch)Amazon SES...