How to Set Up DKIM for Any ESP: Complete Guide

DKIM Setup Overview

DKIM (DomainKeys Identified Mail) cryptographically signs your emails, proving they weren't modified in transit and came from an authorized sender. DKIM is one of the three pillars of email authentication, alongside SPF and DMARC.

The setup process:

1. ESP generates a key pair (public + private)
2. You add the public key to your DNS
3. ESP signs outbound mail with the private key
4. Receivers verify signatures using your public key

Step 1: Generate DKIM Keys

In Your ESP Dashboard

Every ESP has a domain authentication section. Common locations:

ESP	Location
SendGrid	Settings → Sender Authentication → Authenticate Your Domain
Mailgun	Sending → Domains → DNS Records
Postmark	Sender Signatures → Add Domain
Mailchimp	Settings → Domain Verification
Klaviyo	Settings → Domains → Add Domain
HubSpot	Settings → Domain & URLs → Connect a domain

The ESP generates:

• Private key: Kept by the ESP, used for signing
• Public key: Given to you for DNS
• Selector: A name to identify this key (e.g., s1, k1, google)

Generated Output Example

Your ESP provides something like:

DNS Record Type: TXT (or CNAME) Host: s1._domainkey.yourdomain.com Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ...

Or for CNAME: Host: s1._domainkey.yourdomain.com Target: s1.domainkey.sendgrid.net

Step 2: Add DNS Records

Log into your DNS provider and add the record exactly as provided.

For TXT Records

Field	Value
Host/Name	s1._domainkey (or full FQDN depending on provider)
Type	TXT
Value	The DKIM key string from your ESP
TTL	3600 (or default)

For CNAME Records

Field	Value
Host/Name	s1._domainkey
Type	CNAME
Target	The target domain from your ESP
TTL	3600

Practitioner note: CNAME records are easier to maintain—when the ESP rotates keys, they update their end and your DNS automatically follows. TXT records require manual updates during key rotation. Choose CNAME when offered.

DNS Provider Examples

Cloudflare:

1. DNS → Add record
2. Type: CNAME (or TXT)
3. Name: s1._domainkey
4. Target/Content: [ESP-provided value]

GoDaddy:

1. DNS Management → Add
2. Type: CNAME or TXT
3. Host: s1._domainkey
4. Points to / Value: [ESP-provided value]

Step 3: Enable DKIM Signing

Some ESPs start signing automatically once DNS is verified. Others require manual activation.

Check your ESP dashboard:

• SendGrid: Click "Verify" after adding DNS
• Mailgun: Domain status shows "Active" when verified
• Postmark: Click "Verify DNS" then "Verify DKIM"
• Google Workspace: Admin Console → Apps → Gmail → Authenticate email → Start Authentication

Step 4: Verify DKIM Works

Method 1: Send Test Email

1. Send email from your ESP to a Gmail account
2. Open the email in Gmail
3. Click three dots → "Show original"
4. Look for Authentication-Results:

dkim=pass [email protected] header.s=s1 header.b=abc123

dkim=pass confirms DKIM is working.

Method 2: MXToolbox DKIM Lookup

1. Go to MXToolbox DKIM Lookup
2. Enter your domain and selector (e.g., yourdomain.com and s1)
3. Check that the key is found and valid

Method 3: dig Command

dig TXT s1._domainkey.yourdomain.com +short

Should return your DKIM public key.

ESP-Specific Setup Guides

SendGrid

1. Settings → Sender Authentication → Domain Authentication
2. Enter your domain, choose DNS host
3. Add the provided CNAME records (usually 3 records for DKIM + SPF)
4. Click "Verify"

Mailgun

1. Sending → Domains → Add New Domain
2. Add provided TXT records for DKIM
3. Wait for verification (automatic)

Postmark

1. Sender Signatures → Add Domain
2. Copy the DKIM TXT record
3. Add to DNS
4. Click "Verify DKIM"

Google Workspace

1. Admin Console → Apps → Google Workspace → Gmail
2. Authenticate email → Generate new record
3. Choose key length (2048-bit recommended)
4. Add TXT record to DNS
5. Start authentication

Microsoft 365

1. Microsoft 365 Defender → Email & collaboration → Policies
2. DKIM → Select domain → Enable
3. Add provided CNAME records
4. Wait for propagation and enable

Common Setup Issues

"DKIM record not found"

• Check the selector is correct (case-sensitive in some DNS providers)
• Wait for DNS propagation (15-60 minutes)
• Verify record is at selector._domainkey.domain.com, not selector._domainkey

"DKIM signature verification failed"

• Key mismatch: Regenerate keys in ESP and update DNS
• Record too long: Some DNS providers truncate long TXT records. Use CNAME if available
• Wrong record type: Make sure you're using TXT if ESP specifies TXT

"Key too long for DNS"

DKIM 2048-bit keys exceed some DNS providers' single-string limit. Solutions:

• Use CNAME instead of TXT
• Split the key into multiple strings (some ESPs do this automatically)
• Contact DNS provider about TXT record limits

Practitioner note: The "record not found" error after setup is almost always propagation timing or a typo in the selector name. Wait an hour before troubleshooting further.

Multiple ESP Setup

You can have DKIM for multiple ESPs simultaneously—each uses different selectors:

google._domainkey.yourdomain.com → Google Workspace
s1._domainkey.yourdomain.com → SendGrid
smtp._domainkey.yourdomain.com → Mailgun

All can coexist. Receiving servers use the selector specified in the email's DKIM-Signature header to look up the correct key.

If you need help setting up DKIM for a complex multi-ESP configuration, schedule a consultation.

Sources

• RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
• SendGrid: Domain Authentication
• Google Workspace: Turn on DKIM
• Microsoft: Use DKIM for email

---

v1.0 · March 2026