How DKIM works
DKIM uses public-key cryptography. Your email service holds a private key and signs every outgoing email. The corresponding public key is published in your DNS. When a receiving server gets your email, it:
- Reads the DKIM-Signature header to find the selector and signing domain
- Looks up the public key at
selector._domainkey.yourdomain.com - Verifies the signature against the email headers and body
- If the signature is valid, DKIM passes
This proves two things: the email was sent by someone with access to the private key, and the email was not modified after signing.
Step 1: Get your DKIM record from RelayPost
When you add a domain in RelayPost, the dashboard generates a DKIM key pair and shows you the DNS record to add. It looks like this:
| Field | Value |
|---|---|
| Type | CNAME |
| Name / Host | relaypost._domainkey |
| Value / Target | relaypost._domainkey.relaypost.dev |
| TTL | 3600 |
Some providers use a TXT record instead of CNAME. In that case, the value contains the public key directly:
# TXT record format
Name: relaypost._domainkey.yourapp.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...Step 2: Add the DNS record
Add the record in your DNS provider's dashboard. The exact steps vary by provider:
| DNS Provider | Where to add | Notes |
|---|---|---|
| Cloudflare | DNS → Records → Add Record | Disable proxy (grey cloud) for CNAME records |
| Route 53 | Hosted Zones → Create Record | Use simple routing |
| Namecheap | Advanced DNS → Add New Record | Omit the root domain from the host field |
| GoDaddy | DNS Management → Add | May need to split long TXT values |
| Google Domains | DNS → Custom Records | Supports both CNAME and TXT |
Step 3: Verify the record
# Check DKIM DNS record
dig TXT relaypost._domainkey.yourapp.com +short
# For CNAME records:
dig CNAME relaypost._domainkey.yourapp.com +shortSend a test email and check the headers:
DKIM-Signature: v=1; a=rsa-sha256; d=yourapp.com; s=relaypost; ...
Authentication-Results: mx.google.com;
dkim=pass header.d=yourapp.com header.s=relaypostDKIM alignment for DMARC
For DMARC to pass via DKIM, the signing domain (d= in the DKIM-Signature header) must align with the From domain. There are two alignment modes:
| Mode | Requirement | Example |
|---|---|---|
| Relaxed (default) | Organizational domain must match | d=mail.yourapp.com aligns with From: [email protected] |
| Strict | Exact domain must match | d=yourapp.com must match From: [email protected] |
RelayPost signs with your exact domain by default, so DMARC alignment works in both modes.
Key rotation
Rotate DKIM keys every 6-12 months. The process:
- Generate a new key pair (your email service handles this)
- Publish the new public key in DNS with a new selector (e.g.,
relaypost2._domainkey) - Wait 24-48 hours for DNS propagation
- Switch your email service to sign with the new key
- Keep the old key published for 7 days (for in-flight emails)
- Remove the old DNS record
Troubleshooting
dkim=fail— Check that the DNS record matches exactly what your provider gave you. Extra spaces or missing characters break the key.dkim=neutral— The DKIM record exists but the signature could not be verified. Usually a key mismatch.- Record not found — DNS hasn't propagated yet, or the selector name is wrong. Double-check the full record name.
- Body hash mismatch — Something modified the email body after signing. Check for email security gateways or content filters.
Related guides
Frequently asked questions
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds a cryptographic signature to every outgoing email. The receiving server verifies the signature against a public key in your DNS, proving the email was sent by an authorized system and was not modified in transit.
What is a DKIM selector?
A DKIM selector is a prefix that identifies which DKIM key to use. It allows you to have multiple DKIM keys for different services. For example, relaypost._domainkey.yourapp.com uses the selector 'relaypost'. Each email service gets its own selector.
Should I use 1024-bit or 2048-bit DKIM keys?
Always use 2048-bit keys. 1024-bit keys are considered weak and some receivers may flag them. Most email services generate 2048-bit keys by default. If your DNS provider has a 255-character TXT record limit, split the key into multiple strings.
How often should I rotate DKIM keys?
Rotate DKIM keys every 6-12 months as a security best practice. When rotating, publish the new key first, wait for DNS propagation (24-48 hours), then switch your email service to use the new key. Keep the old key published for a few days to handle in-flight emails.
Does DKIM survive email forwarding?
Yes, unlike SPF. DKIM signatures are attached to the email itself, not the sending IP. When an email is forwarded, the DKIM signature remains valid as long as the email body and signed headers are not modified. This is one of DKIM's key advantages.
Set up DKIM with RelayPost
Add your domain and get the DKIM record to copy-paste. One-click verification.
Create free account