Defaults.Exposed › Setup › DKIM

How to set up DKIM on Porkbun

Publish the DKIM key from your email provider in your Porkbun DNS so your emails carry a tamper-proof signature.

Why this matters to your business

DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. The receiving mail provider uses a public key you’ve published in your DNS to confirm two things: the message really came from your domain, and nobody altered it on the way.

In plain terms: DKIM is a seal of authenticity on your email. It makes impersonation harder and improves the chance your genuine mail reaches the inbox rather than spam. It’s free and it’s a one-time setup.

Important: DKIM has two halves

DKIM is the one record where it really matters who does what:

• Your email provider generates the key. Whoever runs your mailboxes — Google Workspace, Microsoft 365, or another mail service — creates the DKIM key for your domain inside their admin panel. You cannot make this value up; the provider produces it for you, along with a selector name (the label that identifies the key).
• Porkbun publishes it. You then add that key to your domain’s DNS at Porkbun, the company running your nameservers.

So: generate at your email provider, publish at Porkbun. Both halves are needed.

Confirm Porkbun runs your DNS

A DKIM record only works if it’s added wherever your domain’s nameservers point. If you registered the domain at Porkbun and left it on Porkbun’s default nameservers, you’re in the right place. If your nameservers point elsewhere (a web host, Cloudflare, your email provider), add the DKIM record there instead.

In your Porkbun account, open the domain and check the Authoritative Nameservers shown on its details page. If they’re Porkbun’s own nameservers, continue below.

Get the records from your email provider

Before touching DNS, collect the DKIM details from whoever runs your email:

• Google Workspace: in the Admin console go to Apps → Google Workspace → Gmail → Authenticate email, generate the key, and copy the selector (usually google._domainkey) and the long TXT value beginning v=DKIM1; k=rsa; p=.
• Microsoft 365: Microsoft uses two CNAME records named selector1._domainkey and selector2._domainkey, each pointing at a long ...onmicrosoft.com target. Find them under DKIM in the Microsoft 365 admin area.
• Another provider: look in that provider’s email or DNS setup area for its DKIM record and copy the host and value exactly.

Note whether you were given TXT records or CNAME records — you’ll choose the matching type in the next step.

Step-by-step on Porkbun

1. Sign in to Porkbun and open Account → Domain Management.
2. Find your domain and click the Details (cog) icon, then open the DNS Records editor for that domain.
3. In the Add a DNS record area, set Type to match what your provider gave you — TXT for most providers, or CNAME for Microsoft 365.
4. In the Host field, enter only the selector part — for example google._domainkey or selector1._domainkey. Do not add your domain name on the end; Porkbun appends it automatically.
5. In the Answer field, paste the value your provider gave you:
   • For a TXT record, the long key value beginning v=DKIM1;.
   • For a CNAME record, the target host (e.g. the ...onmicrosoft.com address).
6. Leave TTL on the default.
7. Click Add to save. For Microsoft 365, repeat for the second selector.

Porkbun quirks people get wrong

• Right record type. Google Workspace gives you a TXT record; Microsoft 365 gives you two CNAME records. Adding the wrong type means DKIM never validates. Match exactly what your provider supplied.
• Don’t put the full domain in Host. If the provider shows google._domainkey.yourdomain.com, you enter only google._domainkey at Porkbun — the rest is added for you. Including the domain again creates a broken host like google._domainkey.yourdomain.com.yourdomain.com.
• Paste the whole key — it’s long. DKIM public keys are hundreds of characters. Make sure nothing is cut off and no stray spaces or line breaks crept in.
• Don’t add your own quotes. Paste the plain value; Porkbun handles any quoting for you. Manually adding " marks can corrupt the record.
• Finish at the provider too. Some providers (Google included) require you to come back and click a button to start signing after the record is live. Publishing alone isn’t enough — switch DKIM on at the provider.
• Give it time. DNS changes can take minutes up to a couple of hours before the provider can confirm and DKIM starts validating.

Verify it worked

After publishing the record (and switching DKIM on at your provider, if required), run the free check on Defaults.Exposed. It will confirm in plain language whether your DKIM record is published and readable. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.