What is DKIM?
Imagine you’re sending an important letter in the mail. To prove it’s genuinely from you and hasn’t been tampered with, you seal it with wax and press your family crest into it. That’s essentially what DKIM does for your emails, except instead of wax and a crest, it uses cryptographic signatures.
DKIM stands for DomainKeys Identified Mail, and it’s one of the three pillars of email authentication that keeps your cold emails out of the spam folder. When you send an email with DKIM enabled, your email server adds an invisible digital signature to it. Think of this signature as a mathematical fingerprint that’s incredibly difficult to forge.
Here’s what happens behind the scenes. Your email server uses a private key, stored securely on your system, to create a unique signature for every outgoing email. This signature gets embedded in the email headers. When someone receives your email, their server looks up your public key, which you’ve published in your DNS records, and uses it to verify that the signature is legitimate. If everything matches up, the email passes DKIM authentication. If something’s off, maybe because someone tried to modify the email in transit, the signature won’t match and DKIM will fail.
The beauty of this system is that it’s mathematically provable. You can’t fake a DKIM signature without access to the private key, and you can’t modify the email content without invalidating the signature. It’s like that wax seal, except impossibly harder to forge.
Why DKIM Matters for Cold Email
You might be wondering why you need to bother with all this technical setup just to send some emails. The answer is simple: email providers like Gmail and Outlook are incredibly suspicious of unauthenticated emails, and they should be.
Let’s say you’re running a cold outreach campaign to potential clients. You’ve spent hours crafting the perfect message, segmenting your list, and personalizing each email. But if you haven’t set up DKIM, there’s a cryptographic gap in your email’s credentials. Gmail looks at your email and thinks, “This claims to be from example.com, but there’s no way to verify it actually is.” That’s a red flag.
Without DKIM, you’re essentially asking recipients to trust your emails on faith alone. In today’s world of phishing attacks and email spoofing, that’s not going to cut it. Email providers have gotten smart about this. They check for DKIM signatures as part of their spam filtering algorithms. An email without DKIM doesn’t just look unprofessional, it looks suspicious.
Here’s a real scenario we see all the time. A company starts sending cold emails without proper authentication. Their open rates are terrible, maybe five or six percent. They assume their messaging is off or their targeting is wrong. But when they check their deliverability, they discover most of their emails are landing in spam. They set up DKIM along with SPF and DMARC, and suddenly their deliverability jumps to over ninety percent. Same emails, same targeting, completely different results.
DKIM also plays a crucial role in building your domain reputation over time. Every time you send an email that passes DKIM, you’re proving to email providers that you’re a legitimate sender. This builds trust. Over weeks and months, this trust accumulates into a positive sending reputation, which means better inbox placement for all your future emails.
And if you’re planning to implement DMARC, which you absolutely should, you need DKIM. DMARC requires that either SPF or DKIM passes for an email to be considered authenticated. Having both gives you redundancy and maximizes your chances of successful delivery.
DKIM vs SPF: What’s the Difference?
Both DKIM and SPF are email authentication methods, but they protect against different threats and work in fundamentally different ways. Understanding the distinction helps you appreciate why you need both.
SPF, or Sender Policy Framework, is all about verifying the server that sent your email. When you set up SPF, you’re publishing a list of IP addresses and servers that are authorized to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving server checks whether it came from one of the approved servers. It’s like having a guest list at an exclusive party. If you’re on the list, you get in. If not, you’re turned away.
DKIM takes a different approach. Instead of checking where the email came from, it verifies the email content itself hasn’t been tampered with. The cryptographic signature covers specific parts of the email, including headers and the message body. If anything changes during transit, the signature becomes invalid. This protects against man-in-the-middle attacks where someone might intercept and modify your email.
| Aspect | SPF | DKIM |
|---|---|---|
| What it verifies | Sending server | Email content |
| How it works | Checks server IP against authorized list | Verifies cryptographic signature |
| Protects against | Unauthorized servers sending | Email tampering in transit |
| Record type | Single TXT record | Selector-specific TXT record |
| Complexity | Simpler | More complex |
Here’s why you need both. SPF can be bypassed if someone gains access to one of your authorized servers. DKIM protects against that because they’d also need the private key to create valid signatures. Conversely, DKIM doesn’t prevent unauthorized servers from sending email claiming to be from your domain, but SPF catches that. Together, they create a comprehensive authentication system.
Understanding DKIM Components
Before we dive into the setup process, let’s break down the key components of DKIM so you understand what you’re actually configuring.
At the heart of DKIM is a key pair, consisting of a private key and a public key. The private key stays securely on your email server and is used to create signatures for outgoing emails. You never share this key, and if it’s compromised, you need to generate a new one immediately. The public key, on the other hand, is published in your DNS records where anyone can access it. This is what receiving servers use to verify your signatures.
Then there’s the selector, which is essentially a label for your DKIM key. The selector allows you to have multiple DKIM keys for the same domain, which is incredibly useful when you’re using multiple email services. For example, you might use Google Workspace for your main email and a cold email tool like Instantly for outreach. Each would have its own selector, like “google” and “instantly”, so they don’t interfere with each other.
When you publish a DKIM record in DNS, it includes the selector in the record name. For instance, if your selector is “google” and your domain is “example.com”, the full record name would be “google._domainkey.example.com”. The record itself is a TXT record that contains the version (always DKIM1), the key type (usually RSA), and the actual public key data.
The genius of this system is in how these pieces work together. When your email server signs a message, it includes the selector in the email headers. The receiving server sees this selector, uses it to look up the correct public key in your DNS, and then verifies the signature. This means you can rotate keys, use different keys for different services, and manage everything through DNS updates.
Setting Up DKIM in Google Workspace
Let’s walk through setting up DKIM for Google Workspace, which is one of the most common email platforms for businesses. Google makes this process relatively straightforward, but there are still some gotchas to watch out for.
Start by logging into your Google Admin console at admin.google.com. You’ll need super admin privileges to access DKIM settings. Navigate to Apps, then Google Workspace, then Gmail. Look for the “Authenticate email” option and click on it. You’ll see a list of your domains. Select the domain you want to configure DKIM for.
Here’s where the magic happens. Click “Generate new record” and you’ll be presented with a couple of options. First, you need to choose the DKIM key bit length. You’ll see two options: 1024-bit and 2048-bit. The 2048-bit key is more secure and is the recommended choice in almost all cases. However, some older DNS providers have character limits that can’t accommodate the longer key. If you run into issues adding the record to DNS, you can come back and generate a 1024-bit key instead, but try the stronger one first.
You’ll also see a field for the prefix selector. Google typically defaults to “google” which works perfectly fine. Some people like to use custom selectors for organizational purposes, but there’s no real advantage unless you have a specific naming convention you’re following.
Click “Generate” and Google will create your DKIM key pair. You’ll see two pieces of information: the DNS hostname, which will be something like “google._domainkey”, and the TXT record value, which is a long string starting with “v=DKIM1; k=rsa; p=” followed by what looks like random characters. This is your public key encoded in a specific format.
Now you need to add this to your DNS. This is where many people get tripped up because every DNS provider has a slightly different interface. Log into your DNS provider, which might be GoDaddy, Cloudflare, Namecheap, or wherever you manage your domain. Look for the DNS management section and find where you can add a new record.
Create a new TXT record. In the Name or Host field, enter the DNS hostname Google gave you. This is usually just “google._domainkey” without your domain name, because most DNS interfaces automatically append your domain. However, some DNS providers require the full hostname including your domain. If you’re not sure, check your provider’s documentation or try without the domain first.
In the Value or TXT Content field, paste the entire DKIM record value from Google. Make sure you get the whole thing. It’s long, and it’s easy to accidentally miss characters if you’re copying manually. Set the TTL to 3600, which is one hour, or leave it at the default if your provider doesn’t let you specify.
Save the record and wait. DNS propagation can take anywhere from a few minutes to 48 hours, though it’s usually much faster. Don’t try to activate DKIM in Google immediately. Give it at least fifteen to thirty minutes.
After waiting, go back to the Google Admin console, to the same DKIM authentication page. You should see a “Start authentication” button. Click it. If enough time has passed and your DNS record is set up correctly, Google will verify the record and enable DKIM. You’ll see the status change to “Authenticating email” with a green checkmark.
If it fails, don’t panic. The most common issues are DNS propagation delays or typos in the record. Wait another hour and try again. You can also use a tool like MXToolbox’s DKIM lookup to verify your DNS record is published correctly before activating in Google.
Setting Up DKIM in Microsoft 365
Microsoft 365 takes a slightly different approach to DKIM that’s both easier in some ways and more confusing in others. The good news is that Microsoft generates the keys automatically. The potentially confusing part is that they use CNAME records instead of TXT records, and they create two records instead of one.
Start by going to the Microsoft 365 Defender portal at security.microsoft.com. Navigate to Email & collaboration, then Policies & rules, then Threat policies. You’ll see DKIM in the list of available policies. Click on it.
You’ll see a list of your domains. Select the domain you want to enable DKIM for. If this is the first time you’re setting up DKIM for this domain, you’ll see a button to “Create DKIM keys”. Click it and Microsoft will automatically generate a key pair for you. You don’t get to choose the key length or selector like you do with Google. Microsoft handles all of that.
Once the keys are generated, Microsoft will display two CNAME records that you need to add to your DNS. This is different from most other providers that use TXT records. The records will look something like this: the first will have a host name of “selector1._domainkey” pointing to “selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com”, and the second will be “selector2._domainkey” pointing to a similar target.
Why two records? Microsoft uses key rotation for security. They have two selectors so they can switch between them periodically without disrupting email sending. You need to add both for the system to work properly.
Go to your DNS provider and add both CNAME records. The process is similar to adding TXT records, but you’re selecting CNAME as the record type instead. The Name field gets the selector hostname, and the Value or Target field gets the full onmicrosoft.com address that Microsoft provided. Some DNS providers call this “Points to” or “Alias” instead of Value.
After adding both records and waiting for DNS propagation, return to the Microsoft 365 Defender portal. You’ll see a toggle switch labeled “Sign messages for this domain with DKIM signatures”. Flip it to the ON position. If your DNS records are set up correctly, it should activate without errors. If it fails, check that both CNAME records are present and correctly configured.
DKIM for Cold Email Tools
Here’s something that catches a lot of people off guard: your cold email tool needs its own DKIM setup, separate from your main email provider. This is because tools like Instantly, Lemlist, or Apollo often send through different infrastructure, either their own servers or third-party services like SendGrid.
Let’s say you’ve set up DKIM for Google Workspace and you’re sending regular business email without any problems. Then you start using Instantly for cold outreach. If Instantly is sending through their own infrastructure, those emails won’t have the DKIM signature from your Google Workspace setup. The private key is on Google’s servers, not Instantly’s.
For Instantly specifically, they typically use SendGrid’s infrastructure for sending. When you connect your Google Workspace account to Instantly, DKIM can sometimes be inherited from your Google setup, but this isn’t guaranteed and depends on how you’ve configured things. The safest approach is to check Instantly’s settings for any domain authentication requirements and follow their specific instructions.
Lemlist has a dedicated section for domain authentication. You’ll find it under Settings, in the Email Warm-up & Deliverability section. They’ll provide you with DNS records to add, including a DKIM record. The selector will usually be something like “lemlist” to distinguish it from your other DKIM setups. Add their record to your DNS just like you did for Google or Microsoft, using whatever selector they specify.
Apollo.io has a similar process. In their Settings under Email Setup, you’ll find an option to authenticate your domain. They’ll generate DKIM records for you to add to DNS. Each of these tools uses a different selector, so you can have multiple DKIM records without any conflicts.
If you’re using infrastructure providers directly, like SendGrid or Mailgun, they have their own authentication processes. SendGrid uses CNAME records for DKIM, similar to Microsoft. You’ll go to Settings, then Sender Authentication, and authenticate your domain. SendGrid will provide three CNAME records to add to your DNS.
Mailgun is more traditional and uses TXT records. In their Sending section under Domains, you add your domain and they provide DNS records including DKIM. Both services will verify the records once they’re in place.
The key insight here is that every sending service needs its own DKIM setup. Your DNS will end up with multiple DKIM records, each with a unique selector. This is perfectly normal and expected. You might have “google._domainkey” for Google Workspace, “lemlist._domainkey” for Lemlist, and “sendgrid1._domainkey” for SendGrid, all for the same domain.
Verifying Your DKIM Setup
Once you’ve added your DKIM records and activated signing in your email provider, you need to verify that everything is working correctly. There are several ways to do this, and it’s worth checking with multiple methods to be sure.
The quickest check is using MXToolbox’s DKIM lookup tool. Go to mxtoolbox.com/dkim.aspx and enter your domain and selector in the format “selector:domain.com”. For example, if you’re checking Google Workspace DKIM, you’d enter “google:yourdomain.com”. If the record is set up correctly, you’ll see “DKIM Record Found” along with the record details. If it says “DKIM Record not found”, either your DNS record isn’t published yet or there’s a typo in the selector or record name.
A more thorough test is to actually send an email and check the headers. Send a test email from your authenticated domain to a Gmail address you control. Open that email in Gmail, click the three dots menu, and select “Show original”. This opens a new window with the full email headers and a summary of authentication results.
Look for the DKIM line in the summary at the top. You want to see “DKIM: PASS” along with information about which selector was used. In the detailed headers below, you’ll find a line starting with “dkim=pass” that includes your domain and selector. This confirms that your email was signed with DKIM and the signature was successfully verified.
If you see “DKIM: FAIL” or “dkim=neutral”, something is wrong. The most common causes are a mismatch between the private key used to sign the email and the public key published in DNS, or issues with how the DNS record is formatted.
Another useful tool is Mail Tester at mail-tester.com. This service gives you a temporary email address to send to, then analyzes your email and provides a score out of ten along with detailed feedback. Send a test email to the address they provide, then refresh the page to see your results. Mail Tester checks DKIM along with SPF, DMARC, and many other deliverability factors. It’s a great way to get a comprehensive view of your email authentication status.
You want to see green checkmarks for DKIM Record Found, DKIM Signature Valid, and ideally a DKIM: PASS result. Any red marks indicate problems you need to fix.
Troubleshooting Common DKIM Issues
Even with careful setup, things can go wrong with DKIM. Let’s walk through the most common issues and how to fix them.
The most frequent problem is “DKIM Record Not Found” when you try to verify. This usually happens right after setup when DNS propagation is still in progress. DNS changes can take anywhere from a few minutes to 48 hours to propagate globally, though most changes are visible within an hour. If you’re seeing this error immediately after adding the record, just wait and try again later.
If you’re still seeing “Record Not Found” after 24 hours, there’s likely an error in how you added the record. Log into your DNS provider and verify the record exists. Check that the record name is exactly correct. Common mistakes include forgetting the “_domainkey” part, misspelling the selector, or accidentally adding your domain name when the DNS interface already appends it automatically. Some people end up with records named “google._domainkey.example.com.example.com” because they included the domain when they shouldn’t have.
Another issue is “DKIM Signature Verification Failed” where the record exists but the signature doesn’t match. This usually means there’s a mismatch between the private key your server is using to sign emails and the public key published in DNS. This can happen if you regenerated keys but forgot to update DNS, or if you updated DNS with the wrong key. The fix is to regenerate the DKIM key in your email provider and make sure you copy the exact record they give you into DNS.
Email forwarding can also cause DKIM failures. When an email is forwarded, some email systems modify the message in ways that break the DKIM signature. There’s not much you can do about this on your end since it happens after the email leaves your control. This is one reason why DMARC policies should allow for the possibility of DKIM failure as long as SPF passes.
If you’re getting errors about the DKIM key being too long for DNS, you’re probably trying to use a 2048-bit key with a DNS provider that has strict character limits. Most modern DNS providers handle long TXT records just fine by automatically splitting them into multiple strings, but some older systems don’t. Your options are to switch to a 1024-bit key, which is less secure but shorter, or manually split the key into multiple quoted strings in the DNS record value.
Sometimes you’ll run into issues with multiple DKIM records that conflict. This happens if you accidentally use the same selector for different services. Remember, each service should have a unique selector. If you’ve set up “default._domainkey” for both Google and SendGrid, they’ll conflict. Check all your DKIM records and make sure each selector is unique.
Best Practices for DKIM Management
Now that you have DKIM set up and working, there are some best practices to follow to keep it secure and effective.
Always use 2048-bit keys when possible. They’re more secure and better resistant to cryptographic attacks. Only drop down to 1024-bit if your DNS provider absolutely can’t handle the longer record. Most modern providers have no issues with 2048-bit keys.
Consider rotating your DKIM keys periodically, perhaps once a year. Key rotation involves generating a new key with a different selector, adding it to DNS, switching your email server to use the new key, and then removing the old key after a transition period. This limits the damage if a private key is somehow compromised. The process is straightforward: create the new key, add it to DNS, wait for propagation, switch your email provider to use the new selector, then after a few days remove the old DNS record.
Monitor your DKIM passing rate over time. Google Postmaster Tools, if you’re sending enough volume to Gmail, will show you authentication statistics. Your cold email tool should also provide deliverability metrics. If you see DKIM pass rates dropping, investigate immediately. It could indicate a configuration problem or a security issue.
Document your DKIM setup somewhere your team can access. Write down which selectors are used for which services, when keys were last rotated, and any special configuration notes. This documentation becomes invaluable when troubleshooting issues or when team members change.
If you’re running multiple cold email campaigns with different sending domains, each domain needs its own DKIM setup. Don’t assume that configuring DKIM for one domain covers your other domains. Each domain’s DNS needs its own DKIM records.
Finally, remember that DKIM is just one part of email authentication. It works best in combination with SPF and DMARC. SPF verifies the sending server, DKIM verifies the email content, and DMARC tells receiving servers what to do if either check fails while also providing you with reports about authentication failures. Together, these three protocols create a robust authentication system that maximizes your deliverability.
Key Takeaways
Setting up DKIM is a critical step in ensuring your cold emails reach the inbox instead of the spam folder. DKIM uses cryptographic signatures to prove your emails are authentic and haven’t been tampered with in transit. The setup process involves generating a key pair in your email provider, publishing the public key in your DNS records, and activating signing.
Every service you use to send email needs its own DKIM configuration, which means you’ll likely have multiple DKIM records with different selectors. This is normal and expected. Google Workspace, Microsoft 365, and cold email tools all have their own setup processes, but the core concept is the same: generate keys, publish in DNS, activate signing, then verify it’s working.
Always verify your DKIM setup using tools like MXToolbox and by checking email headers. Monitor your authentication pass rates over time and address any failures quickly. Use 2048-bit keys for better security, document your setup for your team, and consider rotating keys annually.
With DKIM properly configured alongside SPF and DMARC, you’ve built a strong foundation for email deliverability that will serve your cold email campaigns well.
Need Help With DKIM?
Email authentication can get complex quickly, especially when you’re juggling multiple sending services and domains. We’ve configured DKIM for hundreds of clients and know all the edge cases and gotchas that can trip you up.
If you want your authentication set up correctly the first time, or if you’re dealing with DKIM issues that are hurting your deliverability, we can help. Our team will audit your current setup, fix any problems, and ensure your emails are authenticated properly across all your sending infrastructure.
Ready to get your cold email deliverability dialed in? Book a call with our team and let’s get your DKIM configuration working perfectly.