Defaults.Exposed › Setup › DKIM
How to set up DKIM on GoDaddy
Publish your email provider's DKIM keys in GoDaddy DNS so your messages carry a verified signature.
Why this matters to your business
DKIM (DomainKeys Identified Mail) adds an invisible, tamper-proof signature to every email you send. The receiving mail server uses a public key published in your DNS to confirm the message really came from your domain and wasn’t altered along the way. In plain terms: it makes your email look trustworthy to the systems that decide between “inbox” and “spam,” and it makes your domain much harder to impersonate. It’s free, and it’s a key part of getting your mail reliably delivered.
Two separate jobs — know which is which
DKIM involves two places, and people mix them up:
- Your email/mail platform (Microsoft 365, Google Workspace, your bulk-email tool, etc.) generates the DKIM keys. You turn DKIM on there and it gives you the records to publish. GoDaddy does not generate these for you unless GoDaddy is also your email provider.
- Your DNS host (GoDaddy, if your nameservers point to GoDaddy) publishes those records. This is the part you do in GoDaddy.
So the flow is: get the DKIM records from your email provider first, then add them in GoDaddy DNS.
First, confirm GoDaddy runs your DNS
A DKIM record only works if your domain’s nameservers point at GoDaddy. In your GoDaddy account, open the domain and check the Nameservers section. If it shows another company’s nameservers (a web host, Cloudflare, your email provider), add the DKIM records there instead — adding them at GoDaddy won’t do anything.
What your provider gives you
DKIM records are usually CNAME records (especially Microsoft 365 and many platforms), though some providers give you a TXT record instead. Either way, your provider gives you:
- one or more host/name values, which contain a selector — something like
selector1._domainkeyorgoogle._domainkey - the matching value to point to (a target hostname for CNAME, or a long key string for TXT)
Microsoft 365 typically gives two CNAME records (selector1._domainkey and selector2._domainkey). Google Workspace typically gives one TXT record at google._domainkey.
Steps in GoDaddy
- Sign in to GoDaddy and open your domain’s DNS settings (look for DNS, Manage DNS, or DNS / Records).
- Add a new record (look for Add / Add New Record).
- Choose the record type your provider specified — usually CNAME, sometimes TXT.
- In the Name / Host field, enter only the selector part, exactly as your provider gave it — for example
selector1._domainkeyorgoogle._domainkey. Do not add your domain on the end; GoDaddy appends the domain automatically. - In the Value field, paste the target your provider gave you:
- For a CNAME: the target hostname (e.g.
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com). - For a TXT: the full key string (begins with
v=DKIM1; ...).
- For a CNAME: the target hostname (e.g.
- Leave TTL at the default.
- Save. Repeat for each DKIM record your provider listed (Microsoft 365 needs both selector1 and selector2).
- Go back to your email provider and click its “verify” or “enable DKIM” button — DKIM is only fully active once the provider confirms it can see the records.
GoDaddy quirks people get wrong
- Selector only in the Name field. Enter
selector1._domainkey, notselector1._domainkey.yourdomain.com. Adding the domain creates a broken, doubled-up host name. - CNAME vs TXT — match what the provider said. Picking the wrong type silently fails. Copy the type exactly.
- No quotes on TXT values. Paste the key plain; GoDaddy handles the quoting. Don’t wrap it in
". - Don’t forget the second record. Microsoft 365 won’t pass DKIM with only one of its two selectors published.
- Enable on the provider side too. Publishing in DNS isn’t enough — flip the switch in your email platform afterwards.
- Allow time. DNS changes can take from minutes up to a couple of hours to spread.
Verify it worked
Once you’ve added the records and enabled DKIM at your provider, confirm it with the free check on Defaults.Exposed. Enter your domain and it’ll tell you in plain language whether DKIM is correctly in place. Your data is processed in the EU.
Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.