Use CNAME for ESP-hosted DKIM (SendGrid, Mailgun, Klaviyo, Mailchimp) so the ESP can rotate keys without your involvement. Use TXT for self-hosted DKIM where you control the private key. Both are RFC-compliant. CNAME is more common in 2026 because most senders use ESPs, and it eliminates key rotation friction.
DKIM CNAME vs TXT Records: Which Should You Use?
When you set up DKIM with an ESP, they hand you records to add to DNS. Sometimes those records are CNAMEs pointing at the ESP's infrastructure. Sometimes they're TXT records with the public key in them. Both are valid DKIM configurations, but they behave differently for key rotation and security audits. This guide covers when each is used, what to choose if you have the choice, and how to debug DKIM lookups.
The short version: CNAME if your ESP offers it (most do), TXT if you control your own keys.
How DKIM lookups work
When a receiver gets a message signed with DKIM, they read the DKIM-Signature header for two values: the signing domain (d=yourdomain.com) and the selector (s=selector1). They then look up:
selector1._domainkey.yourdomain.com
That query returns a TXT record containing the public key. If your DNS has a CNAME at that location, the receiver follows the CNAME to the target and reads the TXT there.
selector1._domainkey.yourdomain.com. CNAME selector1._domainkey.youresp.net.
selector1._domainkey.youresp.net. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."
This is transparent to the receiver. From the verification perspective, CNAME and TXT both produce the same result: a public key the receiver uses to verify the signature.
When ESPs use CNAME
Most major ESPs default to CNAME in 2026:
| ESP | DKIM record type | Notes |
|---|---|---|
| SendGrid | CNAME (3 records) | "Authenticated domain" setup |
| Mailgun | CNAME (1-2 records) | Recommended by default |
| Klaviyo | CNAME (2-3 records) | Dedicated sending domain feature |
| Mailchimp | CNAME (3 records) | "Authenticated domain" |
| Postmark | CNAME or TXT | Choice during setup |
| Resend | CNAME | Default |
| AWS SES | CNAME (3 records) | "Easy DKIM" |
| Brevo | CNAME | Default |
| Klaviyo | CNAME | Default for branded sending |
The reason: ESPs rotate DKIM keys periodically (every 6-12 months is typical) for security. If they used TXT records, every customer would have to manually update their DNS every rotation. With CNAMEs, the ESP updates their own underlying records and customer DKIM rotates automatically.
For background on key rotation, see DKIM key rotation.
When you'd use TXT instead
You publish your own DKIM TXT record when:
- You run your own mail server (Postfix + OpenDKIM, Mail-in-a-Box, Mailcow). The key is on your server, the public half lives in your DNS.
- You want to pin a specific key for compliance or security audits.
- Your ESP doesn't offer CNAME (rare in 2026, but some smaller providers).
- You're doing third-party DKIM without a hosting relationship.
For self-hosted mail servers, a TXT record looks like:
mailserver._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..."
The private key stays on your server (/etc/opendkim/keys/yourdomain.com/mailserver.private for OpenDKIM). The public key goes in DNS as TXT.
CNAME vs TXT comparison
| Factor | CNAME | TXT |
|---|---|---|
| Key rotation | Automatic via ESP | Manual |
| You control the key | No | Yes |
| Setup complexity | One record (usually) | One record |
| Visibility into key value | Hidden behind CNAME | Visible in DNS |
| Works for all ESPs | Most modern ones | All |
| Security audit friendly | Less | More |
| Risk if ESP loses key | Low (they rotate) | N/A (you own it) |
| Multi-ESP same domain | Yes (different selectors) | Yes (different selectors) |
For most senders using an ESP, CNAME is the better operational choice. The trade-off (visibility into the exact key) doesn't matter unless you have specific compliance requirements.
DNS record limits to watch for
CNAME records have one significant restriction in DNS: a CNAME cannot coexist with any other record type at the same name. If you have a CNAME at selector1._domainkey.yourdomain.com, you can't also have a TXT at that exact name. This rarely matters for DKIM but trips people up when migrating between ESPs.
Practitioner note: When switching ESPs, set up the new DKIM records first (different selector, won't conflict), verify they work, then update the From-domain DKIM-Signature header to use the new selector before tearing down the old records. Keep the old records live for 7-14 days during transition to handle mail still in queue.
Setting up DKIM with multiple ESPs
You can run multiple ESPs signing for the same From-domain by using different selectors:
s1._domainkey.yourdomain.com. CNAME s1.domainkey.u1234.wl.sendgrid.net.
k1._domainkey.yourdomain.com. CNAME k1.domainkey.mg.yourdomain.com.
postmark._domainkey.yourdomain.com. CNAME pm.dkim.postmarkapp.com.
Each ESP signs with its own selector. Receivers verify whichever selector matches the message's DKIM-Signature header. All three work simultaneously.
This pattern is common when you have:
- Marketing on Klaviyo
- Transactional on Postmark
- Cold outreach on Smartlead (with separate domain, ideally)
Debugging DKIM record problems
When DKIM verification fails, check in order:
-
Does the record resolve?
dig TXT selector1._domainkey.yourdomain.com +shortIf empty, the record isn't published or DNS hasn't propagated.
-
Does the CNAME target exist?
dig CNAME selector1._domainkey.yourdomain.com dig TXT <the CNAME target>Both should return values.
-
Is the public key valid format? The TXT should start with
v=DKIM1; k=rsa; p=followed by a base64-encoded key. -
Does the message's DKIM header match? View the raw message source, look for
DKIM-Signature: ... d=yourdomain.com; s=selector1; .... Thed=should be your signing domain,s=your selector. -
Does it actually verify? Send to
[email protected]or use a tool like dkimvalidator.com.
For the broader troubleshooting workflow, see DKIM verification failed.
Practitioner note: The most common DKIM failure I see isn't the CNAME vs TXT decision — it's a typo in the selector name during DNS setup. The ESP says "add a CNAME at scph0925._domainkey" and someone adds "scph0926._domainkey" because that's what they're looking at on another browser tab. dig the exact selector and verify it returns before assuming the issue is elsewhere.
If you're setting up DKIM across multiple ESPs and want help with selector strategy and rotation planning, book a consultation. I do authentication setup including multi-ESP DKIM, DMARC alignment, and key rotation schedules.
Sources
- RFC 6376 — DKIM Signatures — IETF
- SendGrid domain authentication setup — Twilio SendGrid
- Mailgun DKIM setup — Mailgun
- AWS SES Easy DKIM — AWS
- Postmark DKIM documentation — Postmark
v1.0 · May 2026
Frequently Asked Questions
What's the difference between DKIM CNAME and TXT records?
A DKIM TXT record holds the public key directly in your DNS. A DKIM CNAME record points to a target hostname (usually at your ESP) that hosts the TXT record. Mailbox providers follow the CNAME and read the eventual TXT record. Functionally identical for verification; operationally different for key management.
Why do some ESPs use DKIM CNAMEs?
Because they want to rotate DKIM keys without requiring every customer to update DNS. With a CNAME pointing to the ESP's record, they update the underlying TXT and you inherit the new key instantly. SendGrid, Mailgun, Klaviyo, and most modern ESPs default to CNAME for this reason.
Can I use a TXT record instead of CNAME for ESP DKIM?
Sometimes, depending on the ESP. SendGrid, Postmark, and a few others let you choose. Mailgun and Klaviyo require CNAME on most plans. If you're given a choice, TXT lets you pin a specific key (useful for security audits); CNAME gives the ESP key rotation flexibility (usually better operationally).
How do I check if my DKIM record is set up correctly?
Use `dig TXT selector._domainkey.yourdomain.com` from the command line, or use MXToolbox DKIM lookup. You should see the public key value. If you used CNAME, dig will show the redirect and then the underlying TXT. Send a test message to mail-tester.com for full DKIM signature validation.
What does a DKIM selector mean?
A DKIM selector is a label that identifies which key was used to sign a message. The selector appears in the DKIM-Signature header (s=selector1) and in the DNS lookup path (selector1._domainkey.yourdomain.com). Each ESP uses its own selectors (sendgrid uses s1/s2, Mailgun uses k1/k2, etc.), which lets you have multiple ESPs signing for the same domain.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.