DKIM setup guide: sign your cold email so it lands

DKIM (DomainKeys Identified Mail) signs each outgoing message with a private key. The matching public key lives in your DNS, so any receiver can verify the message is authentic and untampered.

How it works

Your provider holds a private key and adds a DKIM-Signature header to every message. You publish the public key as a TXT record on a selector subdomain, for example selector1._domainkey.yourdomain.com. Receivers fetch it and check the signature.

Setting it up

• Generate the key pair in your sending provider — Google Workspace, Microsoft 365, or your ESP.
• Copy the public key TXT record it gives you, including the selector.
• Publish it in DNS exactly as provided; DKIM keys are long, and a truncated paste breaks verification.
• Prefer a 2048-bit key where supported, and fall back to 1024 only if your DNS host limits record length.

Alignment matters

For DMARC to pass on DKIM, the signing domain must align with the From domain. Sign with your own domain, not the provider's shared domain, so alignment holds.

Rotate periodically

Rotate keys on a schedule and retire old selectors. If a key is ever exposed, rotation limits the damage.

Verify it

Check DKIM on SignalMail's Deliverability page, then make sure SPF and DMARC are in place too.