Defaults.Exposed › Setup › DKIM

How to set up DKIM on Squarespace

Publish your email provider's DKIM key in your Squarespace DNS so your emails carry a tamper-proof signature.

Why this matters to your business

DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. The receiving mail provider uses a public key you’ve published in your DNS to confirm two things: the message really came from your domain, and nobody altered it on the way.

In plain terms: DKIM is a seal of authenticity on your email. It makes impersonation harder and improves the chance your genuine mail reaches the inbox rather than spam. It’s free and it’s a one-time setup.

Important: DKIM is generated by your email provider, not Squarespace

This is the record people most often get tangled on, because two different companies are involved:

• Your email provider generates the key. Squarespace is a website builder and DNS host — it does not send your business email and does not produce DKIM keys. The DKIM record comes from whoever runs your mailboxes (for example Google Workspace, Microsoft 365, or another mail host). You sign in to their admin area and have them create the DKIM key. You cannot make this value up.
• Squarespace publishes it. You then add that key to your domain’s DNS in Squarespace — if Squarespace is where your domain’s nameservers point.

So: generate the key in your email provider’s admin console, then publish it in Squarespace DNS. With some providers there’s also a final step where you go back and switch DKIM on — follow your provider’s instructions for that.

Step 1 — Get the key from your email provider

1. Sign in to your email provider’s admin console (not Squarespace).
2. Find its email-authentication or DKIM section and generate a DKIM record for your domain.
3. Your provider will give you two things:
   • A host name / selector — a short prefix ending in ._domainkey (for example google._domainkey, or a provider-specific selector like selector1._domainkey).
   • A long TXT record value, usually beginning v=DKIM1; k=rsa; p= followed by a very long string of characters (the public key).
4. Keep this page open so you can copy both pieces accurately.

Step 2 — Confirm Squarespace runs your DNS

A DKIM record only works if it’s added wherever your domain’s nameservers point. If you registered the domain with Squarespace, or connected an outside domain and let Squarespace manage its DNS, you’re in the right place. If your nameservers point to another company, add the DKIM record there instead. In your Squarespace account, open the domain and check its DNS / nameserver settings if you’re unsure.

Step 3 — Publish the key in Squarespace

1. Sign in to Squarespace and open your Domains area.
2. Click the domain, then open its DNS settings (look for DNS / DNS Settings / Advanced DNS / Custom Records).
3. Add a new custom DNS record and set the Type to TXT.
4. In the Host field (sometimes labelled Name), enter only the selector part your provider gave you — for example google._domainkey or selector1._domainkey. Do not add your domain name on the end; Squarespace appends it automatically.
5. In the Data / Value field, paste the long key value exactly as your provider gave it.
6. Save the record.

Quirks people get wrong

• Two places, two companies. Generate in your email provider, publish in Squarespace. Some providers also need you to go back and click something like “Start authentication” after the record is live — don’t skip that, or the key is published but your mail is never signed.
• Don’t put the full domain in Host. If your provider shows google._domainkey.yourdomain.com, you enter only google._domainkey in Squarespace — the rest is added for you. Including the domain again creates a broken host like google._domainkey.yourdomain.com.yourdomain.com.
• Paste the whole key — it’s long. DKIM public keys are hundreds of characters. Make sure nothing is cut off and no stray spaces or line breaks crept in when you copied it.
• Don’t add your own quotes. Paste the plain value; Squarespace handles the quoting. Manually adding " marks on top can corrupt the record.
• Match the selector exactly. The host in Squarespace must match what your provider expects, character for character — that’s how the receiver finds the right key.
• Give it time. DNS changes can take minutes up to a couple of hours before your provider can confirm the record and DKIM starts validating.

Verify it worked

After publishing the record (and turning authentication on at your provider, if it requires that), allow a little propagation time, then run the free check on Defaults.Exposed. It will confirm in plain language whether your DKIM record is published and readable. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.