DKIM CNAME vs TXT Record: Which to Use and Why

TXT vs CNAME: The Basics

TXT Record

The DKIM public key lives directly in your DNS:

s1._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."

You own and manage the key data.

CNAME Record

Points to the ESP's DNS where they host the key:

s1._domainkey.yourdomain.com. CNAME s1.domainkey.sendgrid.net

The ESP owns and manages the actual key data. Your DNS just redirects to it.

When to Use CNAME

Advantages:

• Automatic key rotation: ESP updates their end; your DNS follows
• Simpler setup: Just add one CNAME, no long key strings
• Handles 2048-bit keys easily: No DNS length limit issues
• Consistent configuration: ESP manages complexity

Use CNAME when:

• Your ESP provides CNAME option
• You want hands-off key management
• You're not self-hosting email infrastructure
• You have multiple ESPs (easier to manage)

Practitioner note: I default to CNAME whenever the ESP offers it. Key rotation without touching DNS is worth its weight in gold. The clients who insisted on TXT records have come back during key rotation asking why it's so complicated.

When to Use TXT

Advantages:

• Full control: You manage the key directly
• No dependency: Works even if ESP DNS has issues
• Required by some ESPs: Not all provide CNAME option
• Self-hosted mail: You're running your own MTA

Use TXT when:

• Your ESP only provides TXT records
• You're self-hosting Postfix, Mailcow, etc.
• Security policy requires direct key control
• You need the key in your DNS for compliance

ESP Support by Record Type

ESP	CNAME	TXT
SendGrid	✓ (preferred)	✓
Mailgun	✓	✓
Postmark	✓	✓
Amazon SES	✓	✓
Mailchimp		✓ only
Google Workspace		✓ only
Microsoft 365	✓ (required)
HubSpot	✓

Note: Availability changes—check your ESP's current documentation.

Setting Up CNAME Records

Your ESP provides target domains. Add the CNAME:

# Example for SendGrid
s1._domainkey.yourdomain.com. CNAME s1.domainkey.sendgrid.net.
s2._domainkey.yourdomain.com. CNAME s2.domainkey.sendgrid.net.

DNS Provider Configuration

Cloudflare:

1. DNS → Add record
2. Type: CNAME
3. Name: s1._domainkey
4. Target: s1.domainkey.sendgrid.net
5. Proxy status: DNS only (grey cloud)

GoDaddy:

1. DNS Management → Add
2. Type: CNAME
3. Host: s1._domainkey
4. Points to: s1.domainkey.sendgrid.net

Important: Don't enable proxy/CDN on DKIM CNAMEs. DNS only.

Setting Up TXT Records

ESP provides the full key value. Add as TXT:

s1._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."

Handling Long Keys (2048-bit)

2048-bit keys exceed 255 characters. Solutions:

String concatenation:

s1._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIIBIjANBgk" "qhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Some DNS providers auto-split; others require manual splitting.

Check with dig:

dig TXT s1._domainkey.yourdomain.com +short

Should return the complete key regardless of how it's stored.

Key Rotation Differences

With CNAME

1. ESP rotates keys on their end
2. Your CNAME still points to same target
3. New key automatically served
4. No DNS changes needed

With TXT

1. Generate new key (new selector recommended)
2. Add new TXT record to DNS
3. Configure ESP to use new selector
4. Wait for propagation
5. Remove old TXT record after transition

CNAME = zero-touch rotation TXT = manual process

Practitioner note: A client using TXT records across 12 domains learned the hard way that key rotation takes a full day of DNS work. Same client with CNAMEs on their other domains? Zero effort—the ESP handled it.

Migration: TXT to CNAME

If switching from TXT to CNAME:

1. Get CNAME target from ESP
2. Add CNAME record:

   s1._domainkey.yourdomain.com CNAME s1.domainkey.esp.com
   

3. Verify CNAME resolves:

   dig CNAME s1._domainkey.yourdomain.com +short
   dig TXT s1._domainkey.yourdomain.com +short
   

4. Delete old TXT record
5. Verify in ESP dashboard

Some DNS providers require deleting TXT before adding CNAME at same name.

Security Comparison

Aspect	CNAME	TXT
Key cryptography	Identical	Identical
Verification process	Same	Same
Attack surface	ESP's DNS	Your DNS
Trust requirement	Trust ESP's infrastructure	Trust your infrastructure

The actual DKIM signature and verification are identical. The difference is operational (who manages the key), not cryptographic. For more on DKIM keys and rotation, see the DKIM setup guide.

Troubleshooting

"CNAME lookup failed"

dig CNAME s1._domainkey.yourdomain.com +short

• Check CNAME target is exactly as ESP provided
• Verify no extra periods or spaces
• Ensure CNAME target domain exists and has TXT record

"TXT record too long"

• Use string concatenation
• Check if DNS provider supports long TXT records
• Switch to CNAME if ESP offers it

"DKIM verification failed after CNAME setup"

• DNS propagation may take up to 48 hours
• ESP may need to verify CNAME before enabling signing
• Check ESP dashboard for verification status

If you need help choosing between CNAME and TXT for your specific infrastructure, or migrating existing DKIM setups, schedule a consultation. For DNS fundamentals, see the DNS configuration for email guide.

Sources

• RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
• RFC 1034: Domain Names - Concepts and Facilities
• SendGrid: Domain Authentication
• Mailgun: Verifying Your Domain

---

v1.0 · March 2026