Need email infrastructure? Try PostScale -- transactional email API built in the EU. PostScale

    DKIM Explained - DNS Keys, Selectors, and Email Signatures

    Learn how DKIM signs outbound email, where DKIM public keys live in DNS, how selectors work, and how to rotate DKIM keys safely.

    Updated

    TL;DR

    DKIM adds a cryptographic signature to outbound email. The sender signs selected headers and body content with a private key; receivers fetch the public key from DNS at selector._domainkey.example.com and verify the signature. DKIM survives forwarding better than SPF and is one of the two authentication signals DMARC can use for alignment. Publish provider-generated DKIM TXT records, use 2048-bit keys where supported, and rotate selectors without deleting old keys too early.

    What you'll learn

    • Understand how DKIM signatures are verified
    • Publish DKIM public keys in DNS
    • Use selectors for key rotation and multiple providers
    • Diagnose common DKIM failures

    DKIM (DomainKeys Identified Mail) lets a receiving mail server verify that a message was signed by a domain and was not materially changed in transit.

    The private key stays with the sending mail system. The public key is published in DNS as a TXT record. Receivers use that public key to verify the DKIM-Signature header on the message.

    DKIM works with SPF and DMARC. DMARC can pass when DKIM passes and aligns with the visible From domain.

    How DKIM Works

    1. Your sending platform creates a private/public key pair.
    2. You publish the public key in DNS.
    3. The sender signs outbound messages with the private key.
    4. The signature includes a selector and domain.
    5. The receiver looks up selector._domainkey.domain.
    6. The receiver verifies the signature with the DNS public key.

    If verification succeeds, DKIM passes.

    DKIM DNS Record

    Example:

    selector1._domainkey.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."

    Important tags:

    TagMeaning
    v=DKIM1DKIM version marker.
    k=rsaKey type. RSA is common; some providers support Ed25519.
    p=Base64 public key.
    t=yTesting mode. Rare in production.
    t=sStrict domain matching.

    Selectors

    The selector lets a domain publish multiple DKIM keys. The sender chooses the selector in the DKIM-Signature header:

    DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...

    The receiver queries:

    selector1._domainkey.example.com TXT

    Selectors make these workflows possible:

    • Separate keys for Google Workspace and a marketing platform
    • Zero-downtime key rotation
    • Different keys per mail stream
    • Emergency revocation of one sender without breaking others

    Key Length and TXT Splitting

    Use 2048-bit RSA keys where your provider supports them. Long public keys may exceed the 255-byte DNS string limit. In zone-file form, they are split into multiple quoted strings:

    selector1._domainkey.example.com.  TXT  (
  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
  "MIIBCgKCAQEArandomexamplekeymaterial..."
)

    Resolvers concatenate the strings before the mail server uses the key. DNScale handles long TXT values through the dashboard and API, but raw zone files must preserve correct quoting.

    Safe DKIM Rotation

    1. Generate a new selector at the provider.
    2. Publish the new DNS TXT record.
    3. Wait for DNS propagation.
    4. Enable signing with the new selector.
    5. Keep the old selector published for at least several days.
    6. Remove the old selector only after retries and queued mail have drained.

    Deleting the old key too early causes DKIM failures for delayed mail.

    DNScale Setup

    curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "selector1._domainkey",
    "type": "TXT",
    "content": "v=DKIM1; k=rsa; p=MIIBIjANBgkqh...",
    "ttl": 3600
  }'

    Validation

    dig TXT selector1._domainkey.example.com +short

    Inspect a received email's headers and confirm:

    • dkim=pass
    • d=example.com
    • s=selector1
    • DMARC alignment passes if the From domain matches or aligns

    Frequently asked questions

    Where is a DKIM record published?
    A DKIM public key is published as a TXT record at selector._domainkey.yourdomain. The selector is named by the sending system in the DKIM-Signature header.
    Who generates DKIM keys?
    Usually your email provider. Google Workspace, Microsoft 365, SES, Postmark, SendGrid, and similar platforms generate the private/public key pair. They keep the private key and give you the DNS TXT record for the public key.
    Can I have multiple DKIM records?
    Yes. DKIM supports multiple selectors. Each selector is a different DNS name, so different providers and key rotations can coexist safely.
    Why does DKIM fail?
    Common causes are a missing DNS key, broken TXT splitting, wrong selector, message modification after signing, expired provider configuration, or a key that was deleted before old mail stopped being retried.
    Does DKIM replace SPF?
    No. DKIM and SPF authenticate different parts of the mail flow. DKIM is usually more robust through forwarding; SPF is still useful for direct sender authorization. DMARC can pass with aligned DKIM even when SPF fails.

    Related guides

    Ready to manage your DNS with confidence?

    DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

    Start free