Defaults.Exposed › Setup › DKIM

How to set up DKIM on Cloudflare

Publish your mail provider's DKIM key in Cloudflare DNS so your emails carry a tamper-proof signature.

Why this matters to your business

DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. The receiving mail provider uses a public key you’ve published in your DNS to confirm two things: the message really came from your domain, and nobody altered it on the way.

In plain terms: DKIM is a seal of authenticity on your email. It makes impersonation harder and improves the chance your genuine mail reaches the inbox rather than spam. Like the others, it’s free and it’s a one-time setup.

Important: DKIM has two halves

DKIM is the one record where it really matters who does what:

• Your mail provider generates the key. Google Workspace, Microsoft 365, or whoever runs your mailboxes creates the DKIM key for you, inside their admin console. You cannot make this up — you must get the exact host name and value from them. Cloudflare does not generate DKIM keys; it is your DNS host, not your mailbox provider.
• Cloudflare publishes it. You then add that key to your domain’s DNS in Cloudflare (assuming Cloudflare runs your DNS — see below).

So: generate in the mail platform, publish in the DNS host.

First, confirm Cloudflare runs your DNS

A DKIM record only works if Cloudflare is answering DNS for your domain. Cloudflare’s DNS is only live when your domain’s nameservers (set at your registrar) point to the Cloudflare nameservers shown in your dashboard. Open your domain in Cloudflare and check the Overview page — it will confirm whether Cloudflare is active. If your nameservers point to another provider, add the DKIM record there instead; it won’t take effect at Cloudflare.

Get the key from your mail provider

In your mail provider’s admin area, look for the DKIM or email-authentication setting and generate/enable a key. It will give you two pieces of text:

• A host/selector name, something like google._domainkey or selector1._domainkey.
• A long value beginning with v=DKIM1; followed by k=rsa; p= and a very long string of characters (the public key).

Copy both exactly.

Step-by-step on Cloudflare

1. Sign in to Cloudflare and select your domain.
2. In the left-hand menu, go to your DNS settings (look for DNS / Records).
3. Click Add record.
4. Set Type to TXT for most DKIM keys. Use CNAME only if your provider specifically told you to — some providers, including Microsoft 365, use CNAME records that point back to their servers.
5. In the Name field, enter only the selector part — for example google._domainkey or selector1._domainkey. Do not add your domain name on the end; Cloudflare appends it automatically.
6. In the Content field, paste the long key value exactly as your provider gave it. (For a CNAME, paste the target host they gave you instead.)
7. Leave TTL on Auto.
8. Click Save.

Cloudflare quirks people get wrong

• Don’t put the full domain in Name. If your provider’s instructions show selector1._domainkey.yourdomain.com, you enter only selector1._domainkey in Cloudflare — the rest is added for you. Including the domain again creates a broken ..yourdomain.com.yourdomain.com host.
• Paste the whole key — it’s long. DKIM public keys are hundreds of characters. Make sure nothing is cut off, and that no stray spaces or line breaks crept in during copy-paste. Cloudflare will split a long TXT value into segments behind the scenes — that is normal and fine.
• Don’t add your own quotes. Paste the plain value; Cloudflare handles the quoting. Manually added " marks can corrupt the record.
• TXT vs CNAME — follow your provider. If they say CNAME, choose CNAME and paste their target host as the content; don’t convert it to TXT.
• If you add a CNAME, set it to DNS only (grey cloud). Authentication records must not be proxied — make sure the proxy status shows the grey cloud, not orange, so the record resolves to your mail provider’s value rather than Cloudflare’s proxy.
• Match the selector exactly. The selector in the Name field must match what your provider expects, character for character — that’s how the receiver finds the right key.
• Give it time. DNS changes can take minutes to a couple of hours to propagate before DKIM starts validating.

Verify it worked

After saving and allowing a little propagation time, run the free check on this site. It will confirm in plain language whether your DKIM record is published and readable.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.