DKIM records are DNS TXT records that expose the public key used to verify DKIM signatures from your sending domain.
Teams usually search for this topic during setup or incident response: , , , or . This guide is written for that practical path.
DKIM record structure
A DKIM DNS record lives at:
And typically includes values like:
(or another supported key type)
Example shape:
Your email provider generates the key pair. You publish the public key in DNS and your provider signs with the matching private key.
What is a selector and why it matters
A selector lets you run multiple DKIM keys for the same domain at once. That enables:
- Safer key rotation
- Separation across environments or providers
- Controlled migration between senders
If your headers show , your DNS must include .
DKIM setup checklist
- Generate DKIM keys via your sending platform.
- Publish the selector TXT record in DNS.
- Wait for propagation and validate with DKIM checker.
- Send a test message and inspect raw headers for DKIM
. - Confirm DMARC alignment strategy with your From domain.
- Repeat for each sending domain or subdomain.
If you need help creating values, use DKIM record generator first.
DKIM signing and alignment basics
A DKIM means the signature cryptographically checks out. That still leaves one more requirement for strict policy programs: alignment.
For DMARC enforcement, the signing domain in should align with the visible From domain strategy. If not, DMARC may still fail even with a valid DKIM signature.
Use this guide together with DMARC explained and DMARC monitoring.
Common DKIM record mistakes
Split or malformed TXT value
Long DNS values may be split by DNS providers. That is fine if quoted and joined correctly, but formatting errors can invalidate keys.
Wrong selector in sender config
The sender may sign with while DNS only contains .
Stale DNS during key rotation
Signing changes deployed before DNS propagation can cause temporary failures.
Multiple platforms signing inconsistently
If different systems send from the same domain with different key strategies, results can be unpredictable.
Production troubleshooting playbook
When users report missing or spam-folder mail:
- Capture a failed sample email.
- Inspect headers for DKIM result and selector.
- Query selector record directly in DNS.
- Confirm sender configuration matches selector + domain.
- Verify no downstream rewriting invalidates body hash.
- Re-run tests through email deliverability audit checklist.
Key rotation policy recommendations
- Use at least two selectors during rotation windows.
- Pre-publish new keys before switching signers.
- Keep old selector active until all queues drain.
- Document ownership for DNS changes and signer settings.
- Add rollback instructions in your incident runbook.
DKIM records and business risk
Incorrect DKIM records do more than reduce inbox rates. They can:
- Break trust during high-volume launches
- Undermine DMARC enforcement goals
- Increase spoofing exposure for customer-facing domains
Treat DKIM records as security and reliability configuration, not one-time marketing setup.
Final takeaway
DKIM records are simple in format but operationally critical. A reliable setup combines correct DNS publication, controlled selector strategy, regular validation, and alignment with SPF/DMARC policy decisions.