How to Set Up DKIM

Last updated on May 28, 2025.

In this DomainKeys Identified Mail (DKIM) setup guide, we walk you through the steps on how to set up DKIM correctly, test it, avoid common pitfalls, and fix common mistakes.

Off

How to Set Up DKIM Step by Step

You’ll need a few things to start DKIM setup:

A list of all your domains that send emails
A DKIM package for your email server
A DKIM key wizard (which are readily found online for free)
Access to your DNS (or someone who does)
A DKIM record checker (which are also readily found online for free)

Then you can proceed along the path to a correct DKIM setup:

1. List all your sending domains

Create a complete inventory of every domain and subdomain that can send email on your behalf, including third-party services. For example, check if you’re sending emails from platforms like these:

Email marketing
Marketing automation
Customer relationship management
Customer service email management
Anything else that sends email on your behalf

2. Install a DKIM package

Install a DKIM package, like OpenDKIM, on your email server. Your choice of DKIM package will depend on the email server’s operating system. The installation process will depend on the DKIM package and operating system.

3. Create the public & private DKIM key pair

Use a DKIM key wizard to generate a public and private key pair. You’ll have to specify selector names for your key pairs. Selectors tell receiving email servers where to find the public key for each domain. It’s best to make selectors descriptive of what their domain sends. For example, the selector for your email marketing domain could be “marketing.”

4. Publish your public DKIM key

Your DKIM wizard should return a selector record that should look something like this: (selector)._domainkey

You’ll need to add a TXT record with that name to your DNS.* The value of the record is a specially formatted version of your DKIM key and some identifying information that tells receivers how to interpret your DKIM key.

5. Hide your private DKIM key

Your DKIM wizard should also produce your private key, which should be stored wherever your DKIM package specifies.

6. Configure your email server

Your particular server or email service provider may have additional instructions for installing DKIM. If you’re using an email service provider or hosting provider, work with them for any necessary server configuration.

7. Common mistakes during setup

Unfortunately, setup can sometimes be tricky and common mistakes include:

Multiple records named selector ._domainkey
You've entered an incorrect DKIM record name
You have a missing or misconfigured private or public key

How Do I Prevent Spoofing?

DKIM helps improve email deliverability and when combined with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), it can play a critical role in preventing email spoofing.

Example of DKIM passing rate for Office 365 as third-party sending domain for "dummy" financial institution in backend of Fortra DMARC Protection.

Email spoofing occurs when a fraudster sends an email that appears to be sent from someone else by using a forged sender address. For example, fraudsters may send emails to your employees that appear to come from your CEO or send emails to your customers that appear to come from your organization.

This is a common identity deception technique used to trick recipients into revealing sensitive information, including login credentials or financial data. Email spoofing is frequently used in phishing and BEC scams.

You achieve this by adding SPF, DMARC and BIMI, in addition to DKIM:

Sender Policy Framework (SPF): SPF is an email authentication standard that allows domain owners to specify which servers are authorized to send email with their domain in the “Make From:” email address. SPF allows receiving email systems to query DNS to retrieve the list of authorized servers for a given domain. If an email message arrives via an authorized server, the receiver can consider the email legitimate.
Domain-based Message Authentication, Reporting & Conformance (DMARC): DMARC is an email authentication standard that works as a policy layer for SPF and DKIM to help email receiving systems recognize when an email isn’t coming from a company’s approved domains, and provides instructions to email receiving systems with email on how to safely dispose of unauthorized email.
Brand Indicators for Message Identification (BIMI): BIMI is an email specification that works in conjunction with DMARC to enable companies to have their logos displayed next to their email messages in a recipient’s email client. Not only does this enhance brand visibility in crowded inboxes, it also verifies that the email is legitimate and comes from a trusted source.

Discover how Fortra DMARC Protection automates and simplifies email authentication so you can get to a reject policy faster!

Learn More

DKIM Guide: How to Set Up the Email Standard Step by Step

How to Set Up DKIM Step by Step

1. List all your sending domains

2. Install a DKIM package

3. Create the public & private DKIM key pair

4. Publish your public DKIM key

5. Hide your private DKIM key

6. Configure your email server

7. Common mistakes during setup

How Do I Prevent Spoofing?

Discover how Fortra DMARC Protection automates and simplifies email authentication so you can get to a reject policy faster!

Cybersecurity Experts at Fortra

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Fortra AI Use

Impressum