How To Generate DKIM Keys Correctly for Your Domain

December 26, 2025 • InboxGreenEmail Team

🚨 DKIM issues can silently kill replies.

If opens dropped, replies disappeared, or bounces increased, treat it as an incident. Run the scan and get a fix path.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

How To Generate DKIM Keys Correctly for Your Domain

As a SaaS founder or marketer, you know that getting your emails into the inbox is crucial for engagement and conversions. One of the most effective ways to improve your inbox placement is by implementing DKIM, or DomainKeys Identified Mail. However, generating DKIM keys correctly can be a bit tricky. If done improperly, you could end up with emails landing in the spam folder or, worse, getting bounced altogether. This becomes urgent when you start seeing warnings in Gmail or receiving bounce messages from your email service provider.

At a glance

  • This problem affects SaaS founders, marketers, and technical email managers.
  • This article will help you generate DKIM keys correctly for your domain.
  • By following these steps, you will improve your email deliverability and domain reputation.

When this problem shows up in real life

Imagine you are sending out an important marketing email, only to find that a significant portion of your audience never receives it. You check your logs and see entries like:

2023-10-01 10:00:00 SMTP error: DKIM signature verification failed

Or, you look at a Gmail header and see:

Authentication-Results: mx.google.com; dkim=fail (bad sig) [email protected]

These messages indicate that your DKIM setup is not functioning as it should. You might even receive support tickets from frustrated users asking why they are not getting your emails. This is a clear sign that your DKIM keys need attention.

Step by step: DKIM key generation setup

  1. Access your DNS management console.

    Log in to your domain registrar or hosting provider's dashboard. This is where you will add your DKIM records.

  2. Generate DKIM keys.

    You can use a DKIM generator tool for this. For example, if you are using Google Workspace, you can generate keys directly from your admin console.

    • Navigate to Apps > Google Workspace > Gmail > Authenticate email.
    • Click on "Generate new record".
    • Copy the generated public key.
  3. Add the DKIM record to your DNS.

    In your DNS management console, create a new TXT record. Here’s what it should look like:

    selector._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY"

    Replace selector with the actual selector you generated, and YOUR_PUBLIC_KEY with the key you copied.

  4. Save the changes and allow for DNS propagation.

    This can take anywhere from a few minutes to 48 hours. During this time, your DKIM record may not be immediately visible.

  5. Test your DKIM setup.

    Once you believe the DNS has propagated, send a test email to a service like Mail Tester or use the InboxGreen checker to verify your DKIM setup.

Common mistakes

  • Not using the correct selector.

    Symptom: DKIM fails to authenticate. Cause: The selector in your DNS record does not match the one used in your email headers. Fix: Ensure the selector is the same in both places.

  • Incorrect public key format.

    Symptom: Emails are marked as spam. Cause: The public key has extra spaces or incorrect characters. Fix: Double-check the key for accuracy before saving.

  • Not waiting for DNS propagation.

    Symptom: DKIM verification fails immediately after setup. Cause: DNS changes take time to propagate. Fix: Wait at least a few hours and test again.

  • Using multiple DKIM records.

    Symptom: Conflicts in DKIM authentication. Cause: Having more than one DKIM record for the same selector. Fix: Ensure only one DKIM record exists per selector.

Troubleshooting when it still fails

  • DKIM fails → likely cause: Incorrect DNS entry.

    What to try next: Use a DKIM Checker to verify your DNS entry.

  • Emails still landing in spam → likely cause: Domain reputation issues.

    What to try next: Check your domain reputation using a blacklist checker.

  • Authentication-Results header shows failure → likely cause: Misconfiguration.

    What to try next: Read the full Authentication-Results header to identify specific errors.

Related checks you should run

  • Check SPF, DKIM, and DMARC alignment.
  • Verify DNS TTL settings and propagation delays.
  • Assess your domain reputation and monitor for bounces or spam reports.
  • Evaluate your email list quality and engagement patterns.

FAQ

Why is DKIM still failing on Google Workspace after I added the record?

If DKIM is failing, it might be due to a mismatch between the selector used in your email headers and the one in your DNS. Double-check both to ensure they match exactly.

How long do DNS changes take to apply on my domain?

DNS changes can take anywhere from a few minutes to 48 hours to propagate fully. It varies based on your DNS provider and their TTL settings.

Can I use more than one DKIM selector for my domain?

Yes, you can use multiple DKIM selectors, but each selector must have its own unique DNS record. Ensure that the email headers reflect the correct selector.

What should I do if my DKIM record does not show up in DNS?

First, check for typos in your DNS entry. If everything looks correct, wait a few hours and check again. You can also use a DNS lookup tool to verify.

What to do next

Now that you have a better understanding of how to generate DKIM keys correctly, it's time to take action. Start by checking your current DKIM setup using the InboxGreen checker to ensure everything is configured properly. If you need to generate new keys, consider using our DKIM Checker to help you through the process. Keeping your DKIM records in order will significantly enhance your email deliverability and overall domain reputation.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.