Best Practices for DKIM

To follow DKIM best practices, use strong 2048-bit keys, rotate them every six (6) months, sign all outbound messages (especially the "From" header), and use separate selectors and keys for different mail streams. Document your configuration and monitor results to maintain security and DMARC alignment.

MxToolbox recommends the following steps to create and maintain your DKIM record. After you complete your DKIM record setup, use our free DKIM Record Lookup tool to test it for any discrepancies.

Key Management

  • Use strong keys: Deploy 2048-bit RSA keys; shorter keys (especially <1024-bit) may be rejected. Click here for upgrade instructions.

  • Rotate regularly: Change keys at least every six (6) months—more often for high-volume or sensitive mail.

  • Protect private keys: Store them securely and use encryption when possible.

  • Document everything: Maintain records of selectors, key versions, rotation schedules, and configuration changes.

Signing and Alignment

  • Sign all outbound mail: Ensure every message is DKIM-signed, especially the "From" header.

  • Ensure domain alignment: The DKIM signing domain should match the domain used in the email's "From" address to support DMARC.

  • Use unique keys/keys per stream:

    • ESPs should issue separate keys per customer.

    • Organizations should use separate selectors (and keys) for distinct mail streams, such as marketing and transactional mail.

Configuration

  • Publish correct DNS records: Publish the public key as a TXT record using the correct selector path.

  • Enable signing in mail flow: Activate DKIM signing within your mail system after DNS updates propagate.

burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com