This is the third chapter in our DKIM guide, which takes you through the general setup for DKIM as well as specific video walkthroughs for DNS providers like Google Domains, GoDaddy, and Cloudflare.
If you are new to DKIM or need a refresher before continuing, you can head back to chapter 1: What is DKIM and why is it important?. If you are curious about how the whole thing works, you can also check chapter 2: How does DKIM work?
Let's dive in.
How to set up DKIM (a starting point) #
No matter which ESP or mail server you use, the general setup for DKIM is the same. You need a private key stored somewhere safe, and you need to share a public key in your domain’s DNS records. Similar to SPF, DKIM also uses DNS txt records with a special format.
It’s considered best practice to periodically rotate your DKIM keys. The DKIM standard recommends rotating your keys every quarter, and it also recommends you revoke your old DKIM keys as part of this rotation. The best way to manage this is by adding your new keys, and a few days later removing your old keys DNS record for your domain.
Postmark is one of the only ESPs that make it easy to manage this rotation because we keep your old private key active while your new public key propagates.
To make things easier, we collected a few short videos that go in-depth on how to add a DKIM and CNAME records to various DNS providers.
1. DKIM and Google Domains #
2. DKIM and Cloudflare
3. DKIM and GoDaddy #
4. DKIM and Gandi #
Editor's tip: the very best approach to securing your domain’s email is to layer DKIM with SPF and DMARC. Don’t miss our other guides on these protocols to learn more about how they work together to protect your domain.
How can I test if I set up DKIM correctly? #
Once you’ve set up DKIM for an email service, send a message to an email address you manage and examine the DKIM-Signature and Authentication-Results headers (see below) to ensure DKIM passed successfully.
You can also use DMARC reports to check that the messages sent using your domain are correctly authenticated with DKIM and SPF. A DMARC monitoring service like DMARC Digests will process these reports for you and provide a useful summary of DKIM, SPF, and DMARC results for messages sent from all the mailbox providers you use.
How can I read message headers? #
Most email clients have a way of viewing the raw headers for a message.
In Gmail, select the Show original option from the context menu (⁝) in the top right corner of the message.
In the Mail app on Mac, select the message then go to View → Message → Raw Source.
In Outlook, right-click the message and select View Source.
Once you have access to the raw message headers, look for the DKIM-Signature header to confirm which DKIM key was used to sign the message.
The Authentication-Results header shows the results of the DKIM and SPF checks carried out by the receiving mail server.
Authentication-Results: mx.google.com; dkim=pass email@example.com header.s=google header.b="ga9/RuJg"; spf=pass (google.com: domain of firstname.lastname@example.org designates 220.127.116.11 as permitted sender) email@example.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=wildbit.com
Protect your domains from email forging
Postmark makes it super easy to verify domain ownership using DKIM.