DKIM setup guide: step-by-step to set it up

DKIM (DomainKeys Identified Mail) is a digital signature for your emails. It verifies that an email truly comes from the domain it claims to be from, adding a layer of authenticity to your messages.

However, your DKIM protection is only as good as your DKIM setup — get the setup wrong, and DKIM will be about as helpful as a disabled home security system.

Email spoofing is on the rise (by a massive 341%), and email authentication solutions like DKIM act as a trusted verifier. It tells the receiving servers, “Yes, this email is indeed from the sender it claims to be.”

Implementing DKIM could be the difference between your messages reaching their intended inboxes or being relegated to the spam folder. Beyond avoiding the spam trap, DKIM also:

1. Protects your brand reputation
2. Prevents others from impersonating your domain
3. Improves overall email deliverability rates

Think of DKIM as a secure seal on a physical letter. Just as a wax seal once verified the authenticity of important documents, DKIM provides a digital seal of approval for your emails. It works behind the scenes, invisible to your recipients, but non-negotiable in guaranteeing your messages are trusted and delivered.

Below, we’ll walk you through everything you need to know to perfectly implement your DKIM setup and protect your brand’s email communications.

What is DKIM (and how does it work)?

DKIM is an email authentication method designed to detect email spoofing. In simpler terms, it’s a way to prove that an email really came from where it says it did.

While DKIM doesn’t encrypt your email content (that’s a job for other protocols), it does guarantee that the message hasn’t been tampered with in transit. It’s like a tamper-evident seal for your digital communications.

How DKIM works

1. The signature: When you send an email, your email server adds a digital signature to the message header. This signature is a unique code generated using a private key that only your server knows.
2. The public key: You publish a public key in your domain’s DNS records. This key is like the other half of a secret handshake — it can verify the signature, but can’t create it.
3. The verification: When your email reaches its destination, the receiving server looks up your domain’s public key in DNS. It uses this key to check if the signature in the email header is valid.
4. The result: If the signature checks out, the email passes DKIM authentication. If not, it might be flagged as suspicious.

Preparing to set up your DKIM

Before setting up your DKIM, it’s a good idea to do a little planning. This will set you up for success (and maybe prevent you from duplicating efforts).

Check for DKIM

First things first: let’s make sure you’re not reinventing the wheel. Your domain might already have DKIM set up, especially if you’re using a major email service provider. Here’s how to check:

1. Send a test email to a Gmail account.
2. Open the email and click on the “More” option (usually a down arrow) next to the reply button.
3. Select “Show original.”
4. Look for a “dkim=” line in the headers. If it’s there and says “pass,” congratulations! You’ve already got DKIM.

DKIM toolkit access

Before we start, let’s make sure you have everything you need:

1. Access to your DNS records: You’ll need to be able to add a new TXT record to your domain’s DNS. If you’re not sure how to do this, you might need to contact your domain registrar or hosting provider.
2. Your domain name: This one’s obvious, but make sure you know the exact domain you want to set up DKIM for.
3. A DKIM key pair: This consists of a public key and a private key. Don’t panic — we’ll cover how to generate these in the next section.
4. Access to your email server configuration: You’ll need to be able to add the private key to your email server.

Already feeling a bit overwhelmed? We know the feeling — that’s why we offer Valimail Enforce, a streamlined way to create, manage, and automate DKIM, SPF, and DMARC. Check it out.

DKIM setup: step-by-step process

1. Generate your DKIM key pair

First, you need to create your DKIM key pair. This consists of a private key (which your email server will use to sign messages) and a public key (which receiving servers will use to verify the signature).

1. Use a DKIM key generation tool (many are available online)
2. Choose a key size (1024 bits is standard, but 2048 bits is more secure)
3. Save both the private and public keys securely

2. Create your DKIM record

Now that you have your keys, it’s time to create your DKIM record. This is what you’ll add to your DNS.

1. Start with your selector (a name for this particular key, like “mail” or “key1”)
2. Add “._domainkey” to your selector
3. Append your domain name
4. Format your public key according to DKIM standards

Your record should look something like this:

mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK49unoN..."

3. Add the DKIM record to your DNS

Here’s how to do it:

1. Log in to your DNS management interface
2. Create a new TXT record
3. Enter the DKIM record you created in the previous step
4. Save your changes (and be patient — DNS changes can take up to 48 hours to propagate)

4. Configure your email server

Now, you need to tell your email server to start signing messages.

1. Access your email server’s configuration
2. Add your private key
3. Configure your server to sign outgoing emails with DKIM
4. Restart your email service to apply the changes

5. Test your DKIM setup

The moment of truth: let’s make sure everything is working.

1. Send a test email to an external account (Gmail works well for this)
2. View the email headers
3. Look for the “DKIM-Signature” header and check if it passes

Automate your DKIM setup (and more) with Valimail

Setting up DKIM isn’t rocket science, but it’s also not the most straightforward process, and it’s not necessarily something you or your IT team have done before. If you’re looking for a way to simplify the process (and who isn’t?), we know a thing or two. Here’s how Valimail can help you automate your DKIM setup and more.

• Automated DKIM setup: Valimail generates your DKIM keys, creates the DNS records, and even helps with the email server configuration.
• DMARC management: DKIM is great, but it’s even better with DMARC. Valimail helps you implement and manage your DMARC policy alongside DKIM.
• Monitoring and reporting: You shouldn’t need a PhD to understand your DMARC reports. That’s why we provide clear, actionable insights, including our DKIM Continuous Protection Report, a powerful dashboard that tracks key age, usage, and security across all your domains. You’ll know when a DKIM key is outdated, unused, or too weak (less than 2048 bits), and get clear guidance on when it’s time to rotate or retire a key. It’s built to help you stay ahead of security best practices without the guesswork.
• Multi-domain support: Managing email authentication for multiple domains? Valimail’s got you covered.

Whether you choose to set up DKIM manually or use an automation solution like Valimail, the most important thing is that you’re taking steps to secure your email. Your future self (and your email recipients) will thank you.

Want to get a hands-on walkthrough of the Valimail platform? Schedule a demo with our email experts, and they’ll give you the grand tour.