DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send, allowing the recipient’s mail server to verify that the message actually came from your domain and was not altered in transit. Unlike SPF, which checks the sending server, DKIM verifies the message itself — and the signature survives email forwarding. Setting up DKIM is essential for email deliverability and is required by major providers like Gmail and Yahoo.
DKIM Is Enabled Automatically
On Ultra Web Hosting, DKIM is enabled by default for all domains. cPanel automatically generates the DKIM key pair and publishes the DNS record when you add a domain to your account. You can verify it’s working in cPanel → Email → Email Deliverability.
01. What Is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication standard defined in RFC 6376. It uses public-key cryptography to sign outgoing emails and verify incoming ones.
Think of DKIM as a tamper-proof seal on a letter. When your mail server sends an email, it creates a unique signature based on the message content and attaches it to the email header. The recipient’s mail server retrieves your public key from DNS and uses it to verify the signature. If the signature checks out, the recipient knows two things: the email came from your domain, and the message was not modified after it was signed.
DKIM is one of three email authentication standards (alongside SPF and DMARC) that work together to protect your domain. Since 2024, Google and Yahoo require DKIM for bulk senders, and proper DKIM setup significantly improves inbox placement for all senders.
02. How DKIM Works
- Key pair generation. Your mail server generates a pair of cryptographic keys: a private key (kept secret on the server) and a public key (published in DNS as a TXT record).
- Signing outgoing mail. When you send an email, your mail server uses the private key to create a digital signature based on specified parts of the message (typically the headers and body). This signature is added to the email as a
DKIM-Signatureheader. - Recipient lookup. The receiving mail server reads the
DKIM-Signatureheader, extracts the domain and selector, and looks up the public key in DNS atselector._domainkey.yourdomain.com. - Verification. The receiving server uses the public key to verify the signature. If it matches, DKIM passes. If the message was altered in any way (body changed, headers modified), the signature will not match and DKIM fails.
03. Anatomy of a DKIM Record
A DKIM record is a DNS TXT record published at a specific subdomain: selector._domainkey.yourdomain.com. The selector is a label chosen by the mail server administrator (e.g., default, google, mailchimp) that allows multiple DKIM keys for the same domain.
Example DKIM DNS record:
Name: default._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...Record fields:
v=DKIM1— DKIM version (always DKIM1)k=rsa— the key type (RSA is standard)p=MIGfMA0...— the public key (base64 encoded). Ifp=is empty, the key has been revoked.t=s(optional) — strict mode, the signing domain must exactly match the “From” domain (no subdomains)
On Ultra Web Hosting, cPanel uses the selector default, so your DKIM record is published at default._domainkey.yourdomain.com.
04. Setting Up DKIM in cPanel
DKIM is typically enabled automatically when you add a domain to your cPanel account. To verify and manage it:
- Log in to cPanel and go to Email → Email Deliverability.
- Click “Manage” next to the domain you want to check.
- cPanel shows the status of your DKIM record. A green checkmark means DKIM is properly configured. A warning icon means the DNS record is missing or incorrect.
- If DKIM is not set up, click “Install the Suggested Record” to have cPanel generate the key pair and publish the DNS record automatically.
05. Verifying Your DKIM Setup
After setting up DKIM, verify that the DNS record is published and that outgoing emails are being signed:
Ultra Web Hosting DKIM Lookup Tool: Enter your domain and selector at tools.ultrawebhosting.com/dkim-lookup to retrieve and validate your published DKIM public key. For cPanel-generated keys, use default as the selector.
cPanel Email Deliverability: In cPanel → Email → Email Deliverability, the DKIM status shows a green checkmark when the record is correctly published.
Send a test email: Send an email to a Gmail account, open the message, click the three dots → “Show original.” Look for dkim=pass in the Authentication-Results header and check for the DKIM-Signature header in the raw message.
Command line:
dig TXT default._domainkey.yourdomain.com +shortThis should return a TXT record containing v=DKIM1 and the public key.
06. DKIM for Third-Party Services
If you use a third-party service to send email from your domain, that service needs its own DKIM key. Each service provides you with a DNS record to add — typically a CNAME or TXT record with a unique selector.
Google Workspace: In the Google Admin console, go to Apps → Google Workspace → Gmail → Authenticate email. Google provides a TXT record to add at google._domainkey.yourdomain.com.
Microsoft 365: Microsoft uses CNAME records. You add two CNAME records: selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com, pointing to Microsoft’s DKIM service.
Mailchimp: Mailchimp provides a CNAME record with the selector k1._domainkey.yourdomain.com.
SendGrid: SendGrid provides CNAME records for s1._domainkey.yourdomain.com and s2._domainkey.yourdomain.com.
default) and your Google Workspace key (selector: google) coexist without issues.
07. Troubleshooting DKIM Failures
- dkim=fail in email headers. The most common cause is that the DNS record is missing or has a typo. Use the DKIM Lookup Tool to check if the record exists at the correct selector.
- DKIM record not found. The TXT record may not be published yet (DNS propagation takes up to 24-48 hours), or the record is at the wrong subdomain. Verify the selector name matches what your mail server uses.
- DKIM signature body hash mismatch. The email body was modified after signing. This can happen when a mailing list or forwarding service alters the message (adds a footer, rewrites links, etc.). This is not something you can fix on the sender side — the modifying server should implement ARC (Authenticated Received Chain) to preserve the original DKIM result.
- Key too short. Some older DKIM keys use 512-bit RSA, which is considered insecure. Modern best practice is 1024-bit or 2048-bit RSA. cPanel generates 2048-bit keys by default. If you have an older key, regenerate it.
- DNS record truncated. 2048-bit DKIM keys are long and may exceed the 255-character limit for a single DNS TXT string. Most DNS providers handle this by splitting the value into multiple strings automatically. If your record appears truncated, check with your DNS provider.
- Third-party emails failing DKIM. The third-party service is not signing emails, or you have not added their DKIM DNS record. Check the service’s documentation and add the required CNAME or TXT record.
DKIM Tools
Use our free tools to look up, verify, and generate DKIM records for your domain:
DKIM Lookup Tool DKIM Record GeneratorQuick Recap: DKIM Setup
- Verify DKIM is active in cPanel → Email → Email Deliverability
- Check your record with the DKIM Lookup Tool (selector:
default) - Add DKIM records for third-party services that send email from your domain (each gets its own selector)
- Test with a real email — send to Gmail, check “Show original” for
dkim=pass - Use 2048-bit keys — regenerate if your key is older than 1024-bit
