Defaults.Exposed › Setup › DKIM

How to set up DKIM on Bluehost

Publish the DKIM key from your email provider in your Bluehost DNS so your emails carry a tamper-proof signature.

Why this matters to your business

DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. The receiving mail provider uses a public key you’ve published in your DNS to confirm two things: the message really came from your domain, and nobody altered it on the way.

In plain terms: DKIM is a seal of authenticity on your email. It makes impersonation harder and improves the chance your genuine mail reaches the inbox rather than spam. It’s free and it’s a one-time setup.

Important: DKIM has two halves

DKIM is the one record where it really matters who does what:

• Your email provider generates the key. Whoever runs your mailboxes — Google Workspace, Microsoft 365, Bluehost’s own email, or another mail service — creates the DKIM key for your domain inside their admin panel. You cannot make this value up; the provider produces it for you, along with a selector name (the label that identifies the key).
• Bluehost publishes it. You then add that key to your domain’s DNS at Bluehost, the company running your nameservers.

So: generate at your email provider, publish at Bluehost. If your mailboxes are Bluehost email, the provider and the DNS host are the same company, and Bluehost may add the DKIM record for you automatically — in that case there’s nothing to do here.

Confirm Bluehost runs your DNS

A DKIM record only works if it’s added wherever your domain’s nameservers point. If you registered the domain at Bluehost and never moved it, Bluehost is almost certainly your DNS host. If your nameservers point elsewhere (a different host, Cloudflare, your email provider), add the DKIM record there instead.

In your Bluehost account, open Domains, select your domain, and check the Nameservers section. If it shows Bluehost’s nameservers, continue below.

Get the records from your email provider

Before touching DNS, collect the DKIM details from whoever runs your email:

• Google Workspace: in the Admin console go to Apps → Google Workspace → Gmail → Authenticate email, generate the key, and copy the selector (usually google._domainkey) and the long TXT value beginning v=DKIM1; k=rsa; p=.
• Microsoft 365: Microsoft uses two CNAME records named selector1._domainkey and selector2._domainkey, each pointing at a long ...onmicrosoft.com target. Find them under DKIM in the Microsoft 365 admin area.
• Bluehost email or another provider: look in that provider’s email or DNS setup area for its DKIM record and copy the host and value exactly.

Note whether you were given TXT records or CNAME records — you’ll choose the matching type in the next step.

Step-by-step on Bluehost

1. Sign in to your Bluehost account.
2. Go to Domains, select your domain, and open its DNS settings (look for DNS / DNS Records / Manage).
3. Find the DNS records list and click Add Record.
4. Set Type to match what your provider gave you — TXT for most providers, or CNAME for Microsoft 365.
5. In the Host Record (Name) field, enter only the selector part — for example google._domainkey or selector1._domainkey. Do not add your domain name on the end; Bluehost appends it automatically.
6. In the value field:
   • For a TXT record, paste the long key value (beginning v=DKIM1;) into the TXT Value field.
   • For a CNAME record, paste the target host your provider gave you into Points To.
7. Leave TTL on the default.
8. Click Save. For Microsoft 365, repeat for the second selector.

Bluehost quirks people get wrong

• Right record type. Google Workspace gives you a TXT record; Microsoft 365 gives you two CNAME records. Adding the wrong type means DKIM never validates. Match exactly what your provider supplied.
• Don’t put the full domain in Host Record. If the provider shows google._domainkey.yourdomain.com, you enter only google._domainkey at Bluehost — the rest is added for you. Including the domain again creates a broken host like google._domainkey.yourdomain.com.yourdomain.com.
• Paste the whole key — it’s long. DKIM public keys are hundreds of characters. Make sure nothing is cut off and no stray spaces or line breaks crept in.
• Don’t add your own quotes. Paste the plain value; Bluehost handles any quoting for you. Manually adding " marks can corrupt the record.
• Finish at the provider too. Some providers (Google included) require you to come back and click a button to start signing after the record is live. Publishing alone isn’t enough — switch DKIM on at the provider.
• Give it time. DNS changes can take minutes up to a couple of hours before the provider can confirm and DKIM starts validating.

Verify it worked

After publishing the record (and switching DKIM on at your provider, if required), run the free check on Defaults.Exposed. It will confirm in plain language whether your DKIM record is published and readable. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.