This article explains what DKIM is and how to set it up.
As of February 2024, Google and Yahoo have increased their enforcement of domain authentication. To avoid issues with email delivery, it’s crucial to complete DKIM authentication for the sending domain you use to send emails.
Tip: For full protection, set up DMARC after configuring DKIM.
What Is DKIM?
DomainKeys Identified Mail (DKIM) is a type of email authentication that verifies the legitimacy of the sender and their domain. When emails are “DKIM-signed,” they’re more likely to be trusted by inbox providers, which can improve deliverability and reduce bounce rates. For more information about how DKIM works and why it matters, see our article about DKIM and deliverability.
Note: You can only set up DKIM for a domain that you own. If you do not own a domain and are currently sending from a free email domain, such as @gmail.com, please refer to our article about domain names and registrars.
Can I set up DKIM for more than one domain?
Each email marketing account or subaccount can only have one authenticated domain at a time. It is not possible to authenticate more than one domain in a single account or subaccount. Standalone accounts, such as Lite and Plus accounts, do not have subaccounts and are limited to one authenticated domain. Tiered accounts can authenticate one domain in each subaccount, but the domains can differ between subaccounts. For more information, please refer to our article about DKIM and tiered accounts.
Setting Up DKIM
DKIM setup involves creating four new DNS records in your domain provider account. Three of those records will be CNAME records and one will be a TXT record.
Are you authenticating the same domain in more than one account?
If so, you will need to create one TXT record for each subaccount, but you’ll only need to create the CNAME records once.
Do you use Cloudflare for your DNS?
If so, your CNAME records cannot be proxied. They must be DNS only.
If you’re not familiar with DNS records or not sure how to access yours, check your domain provider’s help documents or reach out to their support.
Here are links to some common domain providers’ help documents:
- Amazon Route 53: Configuring DNS, DNS Record Types
- Bluehost: DNS Management
- Cloudflare: Manage DNS Records, Proxy Status
- Dreamhost: DNS Overview
- GoDaddy: Add a CNAME Record, Add a TXT Record
- Google Domains: DNS Basics
- Hostgator: Basics of DNS Records
- Hover: Managing DNS Records
- IONOS: Configuring a CNAME Record, Managing TXT Records
- Namecheap: How to Create a CNAME Record, How to Add a TXT Record
- Network Solutions: How Do I Manage DNS Records?
- Siteground: Manage Your DNS Records
- Squarespace: Accessing Your DNS Settings, Adding Custom DNS Records
- Wix: Adding or Updating CNAME Records, Adding or Updating TXT Records
- WordPress: Manage Your DNS Records
Step 1: Choose Your Default Sender Email
In your email marketing account, make sure that your default sender email matches the domain that you’re authenticating. If it does not match, update it in the “Sender info” tab.
Step 2: Create CNAME Records
Log into your DNS provider’s website or app and create the three CNAME records, shown below. Each provider may have slight syntax differences, so check their requirements for creating CNAME records.
Common syntax differences
Some common syntax differences that users have experienced include:
- Host name being e2ma-k1._domainkey.yourdomain
- Removing the trailing period at the end of each value
Always defer to your DNS provider’s CNAME syntax requirements.
| Host Name | Value |
|---|---|
| e2ma-k1._domainkey | e2ma-k1.dkim.e2ma.net. |
| e2ma-k2._domainkey | e2ma-k2.dkim.e2ma.net. |
| e2ma-k3._domainkey | e2ma-k3.dkim.e2ma.net. |
Tip: Avoid copying and pasting these values directly into your DNS records, as it may introduce formatting issues. Type them manually to prevent errors.
Step 3: Create a TXT Record
You will need to verify your account or subaccount’s authentication with a TXT record and a unique validation hash.
- Log in to your email marketing account.
- Find your account’s validation hash (details below).
- Log in to your DNS provider’s website or app.
- Create the TXT record, shown in the table below. Replace xxxx with your account’s validation hash.
| Host Name | Value |
|---|---|
| @ | e2ma-verification=xxxx |
Tip: If your DNS provider doesn’t allow the @ symbol, use your domain name instead, or refer to your provider’s support documents.
Finding Your Validation Hash
Each account or subaccount has its own unique validation hash, which cannot be shared between accounts. If you have a tiered account, you’ll need to create a separate TXT record for each subaccount you’re authenticating.
- Navigate to your Account > Deliverability tab.
- Parent account: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
- Subaccounts: Navigate to the appropriate subaccount and click on the gear icon in the upper right corner of your screen.
- If you are a Manager or Parent user, scroll down to “Subaccount settings” and choose Account from the dropdown menu.
- If you are an Administrator user, choose Account from the dropdown menu.
- Standalone accounts: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
- On the next screen, click on the Deliverability tab.
- The validation hash will be located in the middle of the page.
Step 4: Complete the Final Validation
- Return to your email marketing account.
- Navigate to the screen where you found your validation hash.
- Click inside the “DKIM domain” box and type in your domain.
- Click on the Save button.
Once this step is complete, DKIM is set up for this specific account or subaccount.
Warning: This step is easily overlooked, but DKIM setup cannot be completed without it. Please be careful not to skip it!
Optional: Testing Your DKIM Authentication
To confirm your DKIM setup, send a test email campaign and check the email header. For example, in Gmail:
- Open the test email and click on the three vertical dots on the right side.
- Choose Show original from the dropdown menu.
- On the next screen, you’ll see a table and one of the rows will be labeled “DKIM”. If DKIM authentication has been successfully set up, the “DKIM” row should say “PASS”.
For detailed instructions on locating headers in specific email clients, refer to this guide from MX Toolbox.
Frequently Asked Questions About DKIM
For more frequently asked questions about DKIM, check out our frequently asked questions about email authentication article.
I send less than 5,000 emails a day, do I really have to set up DKIM?
Yes, you do still need to set up DKIM. You may send less than 5,000 emails a day, but our system sends far more than that. Sending from any email service provider (ESP), will qualify you as a bulk sender to inbox providers.
Can I authenticate multiple sending domains in one account?
No, only one sending domain can be authenticated per account / subaccount. The sending domain is hard-coded into the DKIM settings for each account / subaccount, so using any other domain or subdomain in your sender email will result in DKIM and / or DMARC failures.
Tiered accounts only: If you have a none DMARC policy (p=none) on your domain, then you can set up DKIM for your top-level domain in your email marketing account and send from multiple subdomains. For example, if you set up DKIM for domain.com, then you could send from both mail.domain.com and hr.domain.com and both subdomains would pass DMARC. It’s important to note that this only works for subdomains, i.e. athletics.school.edu will work, but schoolathletics.edu will not. If you have a DMARC policy set to quarantine or reject, this will not work.
Note: If you use adkim=s in your DMARC policy, then the method above will not work, even if your enforcement is set to p=none. We recommend not including adkim in your DMARC policy at all, as it defaults to relaxed when not included. If you have questions about how your organization’s DMARC policy is configured, please contact your IT team or domain administrator.
Can the TXT record be removed once DKIM setup is complete?
Yes, once you’ve completed the DKIM setup process for your account, you may remove the TXT record from your DNS. The CNAME records cannot be removed.
I have a tiered account, do I need to create a separate TXT record for each of my subaccounts?
Depending on certain factors, you may need to create a separate TXT record for each of your subaccounts. Please refer to our DKIM for Tiered Accounts article for more information.
My organization has more than one separate account, can I set up DKIM for both? Will one account’s TXT record interfere with the other account’s TXT record
Yes, you can absolutely set up DKIM for the same domain in multiple fully separate accounts. Due to the unique validation hashes, our system can distinguish between the TXT record for one account and the TXT record for another, even if those records are on the same domain.
My DNS provider won’t accept the syntax for one of the records, what should I do?
Every DNS provider has slightly different syntax requirements. The records that we’ve listed here in the article show the syntax that most commonly works. However, you should always follow the syntax requirements of your DNS provider first. If your DNS provider is rejecting the @ symbol in the TXT record or the trailing period in the CNAME records, you can simply omit that portion of the record or replace it with whatever your DNS provider does accept.
I followed all of the DKIM setup instructions, but I’m seeing an error when I try to complete the final validation step! Did I do something wrong?
It can take up to 24 hours for DNS records to fully propagate, so there’s no need to panic if you can’t complete DKIM setup right away. Just give the records some time and then try again.
If you’re still seeing errors after 24 hours, there may be a small typo in one of your records. Try checking each record for errant spaces or typos. For the CNAME records, make sure that the numbers are correct in each record; sometimes folks will accidentally have two CNAME records with k1, for example, instead of one each for k1, k2, and k3.
Finally, if you copied and pasted the records into your DNS, try typing them in manually instead. Alternately, you can paste them into a text editor, copy them again, and then paste them into your DNS. The goal is to strip any hidden formatting that might tag along when you enter or paste the records into your DNS, as this formatting can prevent our system from reading those records.
I’ve set up DKIM, but my test emails say that they are failing DKIM, what’s going on?
Make sure that you’ve completed the final validation step in your email marketing account. If you’re not sure, please refer to step four of this article. If you have a tiered account, it’s possible that the final validation step has been completed in some subaccounts or in the parent account, but not in the subaccount that you’re sending tests from.
I’ve set up DKIM in my account, but my emails are still bouncing internally. Why is this happening?
Emails can still bounce or be sent to junk for internal contacts, even after DKIM is set up. This is typically caused by an organization’s network settings and can usually be resolved by allowlisting our IP addresses.