A step-by-step tutorial for publishing DKIM DNS records on a UK domain — from key generation to DNS publication, verification and troubleshooting. Covers Microsoft 365, Google Workspace, SmartXHosting email, hosted marketing platforms, and on-premises mail servers.
DKIM deployment has two halves. The first is a public key published in your domain's DNS at selector._domainkey.yourdomain. The second is the private key installed on your outbound mail server, which signs every outgoing message. This tutorial covers both halves for the most common UK business mail setups.
The end state: every outgoing message carries a DKIM-Signature header, and receivers verify that signature against the public key you just published. Gmail, Outlook, Yahoo and the Axigen platform that powers SmartXHosting email all do this verification automatically.
The selector is an arbitrary label you pick. Some guidance for UK deployments:
2026q1, 2026q2 make rotation obvious and trivial to audit. Most modern deployments use this pattern.mail, marketing, transactional for per-service keys when you have multiple sending channels.selector1 and selector2).Avoid generic names like default or k1 in new deployments — they make rotation awkward and make a future audit more confusing than necessary.
For this tutorial we use 2026q2 as the example.
If your mail is hosted on Microsoft 365, Google Workspace, SmartXHosting or any modern managed platform, the provider generates the key pair and publishes the public key (or provides it for you to publish) automatically. Skip to the provider-specific walkthrough for your platform.
If you run your own mail server (Postfix, Exim, Axigen on-premises, Exchange), generate the key pair with OpenSSL:
# Generate 2048-bit RSA private key
openssl genrsa -out 2026q2.private 2048
# Extract public key
openssl rsa -in 2026q2.private -pubout -out 2026q2.public
# Format public key for DNS TXT record
openssl rsa -in 2026q2.private -pubout -outform DER 2>/dev/null | \
openssl base64 -AThe last command outputs a single long base64 string — that is your public key in the form DKIM expects. Capture it; you will paste it into the DNS record in Step 3.
# Generate Ed25519 private key
openssl genpkey -algorithm Ed25519 -out 2026q2-ed.private
# Extract public key
openssl pkey -in 2026q2-ed.private -pubout -outform DER 2>/dev/null | \
tail -c +13 | openssl base64 -AEd25519 keys are much shorter (about 43 characters of base64 vs 400 for RSA-2048). Publish alongside an RSA key during the transition period, not as a sole replacement, since some legacy receivers still require RSA.
Create a TXT record at selector._domainkey.yourdomain with the following content:
2026q2._domainkey.firm.co.uk. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+..."The three tags:
v=DKIM1 — version. Include as the first tag.k=rsa — key type. Use k=ed25519 for Ed25519 keys.p=... — the base64 public key from Step 2.A DNS TXT string is limited to 255 characters. RSA-2048 public keys are longer than that — around 400 characters of base64. Most modern DNS providers handle the splitting automatically when you paste the full record, but if you need to split manually, use quoted concatenation:
2026q2._domainkey.firm.co.uk. IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+abcd...XYZ"
"1234567890ABCDEFGHIJKLMNOP...QRSTUVWXYZ==" )The DNS resolver treats the two strings as a single concatenated TXT value.
| Provider | Notes |
|---|---|
| Cloudflare | TXT record, name = selector._domainkey, content = full quoted string. Auto-splits long values. |
| AWS Route 53 | TXT record type. Multiple strings must each be wrapped in double quotes. |
| Gandi LiveDNS | Standard TXT. Long values handled via UI paste. |
| Nominet 123-Reg / Fasthosts / Heart Internet | Standard TXT. Some older UIs require manual splitting — use the concatenation format above. |
| GoDaddy | TXT record; paste the content without outer quotes. |
| Plesk DNS | Add TXT record through the DNS Template; pastes as a single value. |
Now that the public key is discoverable in DNS, configure your mail server to sign outbound mail with the matching private key.
Edit /etc/opendkim.conf:
Domain firm.co.uk
Selector 2026q2
KeyFile /etc/dkim/2026q2.private
Canonicalization relaxed/relaxed
Mode sv
SubDomains yesThen configure Postfix to pass outgoing mail through OpenDKIM by adding milter settings in main.cf. Restart both services.
In /etc/exim4/exim4.conf, add to the remote_smtp transport:
dkim_domain = firm.co.uk
dkim_selector = 2026q2
dkim_private_key = /etc/dkim/2026q2.private
dkim_canon = relaxed
dkim_strict = falseIn the Axigen admin console, navigate to Services → DKIM Signatures. Add the domain, paste the private key or upload the file, set the selector, and enable signing. Axigen handles canonicalisation and key rotation through its UI.
Microsoft 365 uses its own internal DKIM infrastructure. See the provider-specific walkthrough below.
Send a test message from your newly configured mail server to an external mailbox at Gmail or Outlook.com.
Open the delivered message, click "Show original" (Gmail) or "View message source" (Outlook), and look at the top of the headers:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=2026q2 header.b=dzdVyOfA;
spf=pass [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=firm.co.ukIf you see dkim=pass with your expected selector and signing domain, you are done. If you see dkim=none, dkim=fail, or dkim=permerror, continue to the troubleshooting section.
Confirm the DNS record is published correctly:
dig TXT 2026q2._domainkey.firm.co.uk
;; ANSWER SECTION:
2026q2._domainkey.firm.co.uk. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."The dig output should show the full record. If it shows only partial content or returns NXDOMAIN, the DNS publication has not propagated yet — wait for the TTL to expire and retry.
selector1 and selector2) and requests you publish CNAME records.selector1._domainkey CNAME selector1-firm-co-uk._domainkey.your-tenant.onmicrosoft.com
selector2._domainkey CNAME selector2-firm-co-uk._domainkey.your-tenant.onmicrosoft.comgoogle (or whatever you chose).google._domainkey.firm.co.uk.On Business Email, Private Email and Public Administration Email plans, DKIM is configured automatically when you add your domain. The customer dashboard shows the DNS records you need to publish (SPF, DKIM, DMARC); copy-paste them into your DNS provider, confirm propagation, and signing is live.
Key rotation is handled by the platform on a quarterly cadence. You will receive notification ahead of each rotation with updated DNS record values to publish.
dkim=noneThe receiver cannot find the public key. Common causes:
_domainkey.2026q2.firm.co.uk instead of 2026q2._domainkey.firm.co.uk.dkim=failThe key is found but the signature does not verify. Common causes:
dkim=permerrorThe DKIM record is malformed. Common causes:
p= tag.If dig returns a truncated or invalid record, check that your DNS provider accepts the full base64 public key. Older interfaces may require manual splitting using the concatenation format.
Publishing DKIM is only one step. To fully protect your domain:
p=none. This lets you collect aggregate reports confirming every sender is authenticating correctly.p=quarantine, then p=reject.Q: Can I publish multiple DKIM keys for the same domain?
A: Yes — each with its own selector. You can publish an RSA-2048 key at rsa._domainkey.firm.co.uk and an Ed25519 key at ed._domainkey.firm.co.uk. Your mail server selects one per message; receivers verify whichever was chosen.
Q: Do I need to keep the private key on the server forever?
A: Only until you rotate. After rotation, the old private key can be deleted (or archived offline for forensic purposes) once enough time has passed that no in-flight messages still reference the old selector.
Q: How long does DNS propagation take after I publish a new DKIM record?
A: Typically under an hour at standard TTLs. If you are rotating selectors, wait for the old selector's TTL to expire before starting the new selector's active signing — this avoids brief windows where mail is signed with a key that is not yet globally discoverable.
Q: Can I use the same DKIM key for multiple domains?
A: Technically yes, but it is bad practice. Each domain should have its own key pair so that a compromise of one domain does not affect the others.
Q: What if my DNS provider does not let me publish long TXT records?
A: Use an Ed25519 key, which is much shorter than RSA-2048. Or split the record manually using the concatenation format. Any modern UK DNS provider supports long records, so if yours does not, consider migrating.
Q: Do I need to do anything to get DKIM to sign mail sent from my mobile phone via my corporate account?
A: No, provided you send through your corporate SMTP submission server. The signing happens at the server, not on the device. If the phone sends directly via an ISP's smart host, it bypasses your DKIM signing — configure the device to submit through your own server.
Q: How do I test DKIM before DNS propagation completes?
A: You can send a message to a verifier service such as [email protected], which emails back a detailed authentication report. Some verifiers accept explicit DNS parameters so you can test with unpublished selectors in a staging environment.
Q: What is the difference between CNAME and TXT for DKIM?
A: The DKIM record itself is always a TXT record. A CNAME is sometimes used to delegate a DKIM selector to a provider (Microsoft 365's selector1._domainkey → selector1-firm-co-uk._domainkey.your-tenant.onmicrosoft.com), which lets the provider rotate keys without you touching DNS. The CNAME resolves to the provider's actual TXT record.
Q: Does DKIM affect mail deliverability for small UK senders?
A: Yes — Gmail, Outlook and Yahoo now weight DKIM heavily in their spam-filtering decisions. A UK sole trader with proper DKIM will see dramatically better deliverability than one without, even at very low volumes.
Q: Can I verify DKIM is working without sending a real message?
A: You can verify the DNS record is correctly published with dig TXT selector._domainkey.yourdomain. To verify signing is working you do need to send a test message — either to an external mailbox you control, or to a verifier service.