How to Set Up DKIM: Step-by-Step Guide

Q: What does an empty DKIM p= value mean?

An empty p= in a DKIM record means the public key was revoked. Receivers will treat signatures from that selector as broken, so replace the record with the current key from your provider.

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every message you send. The receiving server looks up your public key in DNS, checks the signature, and confirms the mail really came from your domain and wasn't tampered with in transit. Without it, you fail one of the three checks every inbox provider runs — and you start the conversation in the spam folder.

Setup is the same shape everywhere: generate a key, publish a DNS record, then switch signing on. The third step is the one people forget, and it is the one that actually matters. This guide walks each major platform in order.

It is more common than you would think. When we ran live DNS authentication checks on 130 real B2B companies in June 2026, 18.5% had no detectable DKIM at all. Nearly one in five domains was sending mail no receiver could verify.

The three steps, in order

Whatever platform you are on, DKIM setup follows the same sequence. Get these in the right order and nothing else surprises you.

Generate the key. Your provider creates a public/private key pair and gives you a DNS record to publish. The private key stays with them; the public key goes in your DNS.
Publish the record. Add the record at your domain's DNS host (the registrar or wherever your nameservers live). It lives at selector._domainkey.yourdomain.com.
Turn signing on. Go back to the provider and enable signing. Until you do this, the record sits in DNS doing nothing — your mail is still unsigned.

Setting up DKIM by platform

Google Workspace

Google publishes a single DKIM TXT record on the google._domainkey selector. The whole flow lives in the Admin console.

Open the Admin console and go to Apps → Google Workspace → Gmail → Authenticate email.
Select your domain, then click Generate new record. Choose the 2048-bit key length if your DNS host supports it.
Google shows you a TXT record. The host is google._domainkey and the value is a long v=DKIM1; k=rsa; p=... string.
Publish that TXT record at your DNS host, wait for it to propagate, then return to the same screen and click Start authentication to turn signing on.

That last click is the whole game. The record alone does nothing until authentication is started.

Microsoft 365

Microsoft 365 works differently: instead of one TXT record, you publish two CNAME records that point back to Microsoft's DKIM infrastructure, then enable signing in the Defender portal.

Open the Microsoft Defender portal and go to Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM.
Select your domain. Microsoft shows you two CNAME records — selectors selector1._domainkey and selector2._domainkey — each pointing to an onmicrosoft.com target.
Publish both CNAMEs at your DNS host exactly as shown. Two selectors let Microsoft rotate keys without downtime.
Once the CNAMEs resolve, return to the DKIM page and toggle Sign messages for this domain with DKIM signatures to Enabled.

If the toggle refuses to flip, the CNAMEs haven't propagated yet. Wait and try again — don't recreate them.

Any ESP or sending tool

SendGrid, Mailgun, Amazon SES, your CRM, your cold-email platform — they all follow the same pattern. The provider hands you a selector._domainkey record (the selector name is theirs, often something like s1, mte, or a random string) and you publish it. Some give you a TXT record, some give you CNAMEs, exactly like the two cases above.

Find the domain authentication or sender authentication screen in your sending tool.
Copy the record it generates — note the exact selector and record type.
Publish it at your DNS host, then click verify inside the tool so it confirms the key and starts signing.

Each platform signs on its own selector, so you can run several at once on the same domain. Google Workspace on google._domainkey, Microsoft on selector1/selector2, and your outbound tool on its own selector can all sign mail for the same domain without conflict.

How to verify it actually worked

Publishing the record is not proof. Confirm signing is live before you trust it.

Send a test message to an inbox you control — a personal Gmail works well.
Check the headers. In Gmail, open the message, click the three-dot menu and choose Show original. Look for DKIM: 'PASS' alongside your domain. A pass means the signature verified.
Use a checker. Tools that read the raw message, or a DNS lookup of selector._domainkey.yourdomain.com, confirm the public key is published and well-formed.
Run a full authentication check. Our free Outbound Reality Check runs live SPF, DKIM, DMARC, and MX lookups and returns an A–F grade in about 60 seconds, no signup.

Common mistakes

These are the failures we see most often when a domain looks set up but mail still isn't signed.

Forgetting to switch signing on. The record is published, but nobody clicked Start authentication in Google or flipped the Defender toggle. The DNS looks fine; the mail goes out unsigned. This is the single most common DKIM error.
Wrong selector. The host was typed as google_domainkey instead of google._domainkey, or the selector from one tool was pasted under another. The selector must match exactly what the provider gave you.
A 2048-bit key split across TXT strings. A 2048-bit public key is longer than a single DNS TXT string can hold (255 characters), so it gets split into chunks. Some DNS hosts mishandle the reassembly and the key becomes invalid. If a checker reports a broken key, this split is usually why — re-paste it as one record and let the host quote it correctly.
An empty p= value. If the record's p= is blank, the key was revoked and receivers treat the signature as broken. Replace it with the current key from your provider.

DKIM is one of three

DKIM proves the message is authentic and unaltered. It does not work alone. SPF authorizes which IPs may send for your domain (a TXT record at the apex). DMARC (a TXT record at _dmarc) tells receivers what to do when SPF or DKIM fail to align — p=none only monitors, p=quarantine sends to spam, p=reject bounces the mail. Google and Yahoo's 2024 bulk-sender rules require all three, plus one-click unsubscribe and a spam-complaint rate under 0.3%. Set DKIM up, then make sure SPF and DMARC are right too. Our 2026 benchmark has the full methodology and numbers.

How MeetForge fits

We run B2B outbound end to end — domains, authentication, warmup, sending, and replies — so DKIM, SPF, and DMARC are handled correctly before a single email goes out. You only pay for qualified conversations, tracked on a public ledger. No retainer for activity, no pressure. If you would rather just confirm your own setup, the free check above takes a minute.

Check your own domain — free, 60 seconds

Type your domain and get an instant A–F grade on SPF, DKIM, DMARC, and MX — the same live checks we run for clients. No signup.

Run the Outbound Reality Check →

FAQ

How long does DKIM take to start working?

Publishing the DNS record is instant on your side, but propagation can take anywhere from a few minutes to 48 hours depending on your TTL. Most providers see it within an hour. Don't turn signing on until your provider confirms the record is detected.

Do I need a separate DKIM record for every sending tool?

Yes. Each platform signs with its own key and selector, so each one needs its own selector._domainkey record. Google Workspace, Microsoft 365, and your cold-email tool can all sign mail for the same domain at the same time, each on a different selector.

What does an empty DKIM p= value mean?

An empty p= in a DKIM record means the public key was revoked. Receivers will treat signatures from that selector as broken, so replace the record with the current key from your provider.

Is DKIM enough on its own?

No. DKIM is one of three checks. You also need SPF to authorize sending IPs and DMARC to tell receivers what to do when alignment fails. Google and Yahoo's bulk-sender rules require all three.