Defaults.Exposed › Setup › DKIM

How to set up DKIM on IONOS

Publish the DKIM key from your email provider in your IONOS DNS so your emails carry a tamper-proof signature.

Why this matters to your business

DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. The receiving mail provider uses a public key you’ve published in your DNS to confirm two things: the message really came from your domain, and nobody altered it on the way.

In plain terms: DKIM is a seal of authenticity on your email. It makes impersonation harder and improves the chance your genuine mail reaches the inbox rather than spam. It’s free and it’s a one-time setup.

Important: DKIM has two halves

DKIM is the one record where it really matters who does what:

• Your email provider generates the key. Whoever runs your mailboxes — Google Workspace, Microsoft 365, IONOS Mail, or another mail service — creates the DKIM key for your domain inside their admin panel. You cannot make this value up; the provider produces it for you, along with a selector name (the label that identifies the key).
• IONOS publishes it. You then add that key to your domain’s DNS at IONOS, the company running your nameservers.

So: generate at your email provider, publish at IONOS. If your mailboxes are IONOS Mail, the provider and the DNS host are the same company, and IONOS often offers a one-click DKIM toggle under the email settings — in that case use that and there may be nothing to add by hand.

Confirm IONOS runs your DNS

A DKIM record only works if it’s added wherever your domain’s nameservers point. If you registered the domain at IONOS and never moved it, IONOS is almost certainly your DNS host. If your nameservers point elsewhere (a different host, Cloudflare, your email provider), add the DKIM record there instead.

In your IONOS account, open Domains & SSL, select your domain, and check the Nameserver details. If they’re IONOS nameservers, continue below.

Get the records from your email provider

Before touching DNS, collect the DKIM details from whoever runs your email:

• Google Workspace: in the Admin console go to Apps → Google Workspace → Gmail → Authenticate email, generate the key, and copy the selector (usually google._domainkey) and the long TXT value beginning v=DKIM1; k=rsa; p=.
• Microsoft 365: Microsoft uses two CNAME records named selector1._domainkey and selector2._domainkey, each pointing at a long ...onmicrosoft.com target. Find them under DKIM in the Microsoft 365 admin area.
• Another provider: look in that provider’s email or DNS setup area for its DKIM record and copy the host and value exactly.

Note whether you were given TXT records or CNAME records — you’ll choose the matching type in the next step.

Step-by-step on IONOS

1. Sign in to IONOS and open the Domains & SSL area.
2. Select your domain, then open the DNS settings (look for Adjust DNS settings / DNS).
3. Click Add record.
4. Set Type to match what your provider gave you — TXT for most providers, or CNAME for Microsoft 365.
5. In the Host name field, enter only the selector part — for example google._domainkey or selector1._domainkey. Do not add your domain name on the end; IONOS appends it automatically.
6. In the Value field, paste the value your provider gave you:
   • For a TXT record, the long key value beginning v=DKIM1;.
   • For a CNAME record, the target host (e.g. the ...onmicrosoft.com address).
7. Leave TTL on the default.
8. Click Save. For Microsoft 365, repeat for the second selector.

IONOS quirks people get wrong

• Right record type. Google Workspace gives you a TXT record; Microsoft 365 gives you two CNAME records. Adding the wrong type means DKIM never validates. Match exactly what your provider supplied.
• Don’t put the full domain in Host name. If the provider shows google._domainkey.yourdomain.com, you enter only google._domainkey at IONOS — the rest is added for you. Including the domain again creates a broken host like google._domainkey.yourdomain.com.yourdomain.com.
• Use @ thinking carefully. IONOS sometimes pre-fills the host field; make sure the saved host is exactly your selector, not blank and not the bare domain.
• Paste the whole key — it’s long. DKIM public keys are hundreds of characters. Make sure nothing is cut off and no stray spaces or line breaks crept in.
• Don’t add your own quotes. Paste the plain value; IONOS handles any quoting for you. Manually adding " marks can corrupt the record.
• Finish at the provider too. Some providers (Google included) require you to come back and click a button to start signing after the record is live. Publishing alone isn’t enough — switch DKIM on at the provider.
• Give it time. DNS changes can take minutes up to a couple of hours before the provider can confirm and DKIM starts validating.

Verify it worked

After publishing the record (and switching DKIM on at your provider, if required), run the free check on Defaults.Exposed. It will confirm in plain language whether your DKIM record is published and readable. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.