DKIM (DomainKeys Identified Mail) is a non-negotiable for cold email in 2026. Without it, Gmail, Outlook, and every major inbox provider will either reject your emails outright or send them straight to spam. This guide walks you through exactly how to set it up — from DNS records to verification — for Postmark, SendGrid, and custom SMTP setups.
We spent 13 days debugging DKIM issues while building OutboundHQ. This guide distills everything we learned so you don't have to.
DKIM is an email authentication protocol that lets receiving mail servers verify that an email was actually sent by the domain it claims to be from, and that the message wasn't tampered with in transit.
Here's how it works at a high level:
If the signature doesn't match — because the email was forged, or someone tampered with it — the check fails and the email gets flagged or rejected.
For transactional email, DKIM is helpful. For cold email, it's existential. Here's why:
reject or quarantine, your emails get dropped.DKIM alone isn't enough. You need SPF + DKIM + DMARC for full email authentication coverage. But DKIM is the one most people get wrong — start here.
Postmark is one of the better-documented ESPs for DKIM setup, and it's what we use at OutboundHQ. Here's the exact process:
yourdomain.com) and click Continue.Postmark will show you a TXT record to add to your DNS. It looks like this:
Type: TXT
Host: pm._domainkey.yourdomain.com
Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...The pm prefix is the DKIM selector — it's how receiving servers know which key to look up. Postmark uses pm, but each ESP has its own convention.
Go to your DNS provider (Cloudflare, Route 53, Namecheap, GoDaddy, wherever your domain lives) and add the TXT record exactly as Postmark provided. A few things to watch for:
pm._domainkey (without the root domain), others want the full pm._domainkey.yourdomain.com. If in doubt, try the shorter version first.Back in Postmark, click Verify DKIM. DNS propagation can take anywhere from 5 minutes to 48 hours, but usually resolves within 30 minutes. If it fails immediately after adding the record, wait 10 minutes and try again.
If you're on Cloudflare, make sure the DNS record is set to DNS Only (grey cloud), not Proxied (orange cloud). Proxying a TXT record through Cloudflare will break DKIM verification.
SendGrid calls their DKIM process "Domain Authentication" and it adds both DKIM and SPF in one flow. Here's how:
SendGrid uses CNAME records instead of TXT records for DKIM. You'll get three records to add:
Type: CNAME
Host: s1._domainkey.yourdomain.com
Value: s1.domainkey.u123456.wl.sendgrid.net
Type: CNAME
Host: s2._domainkey.yourdomain.com
Value: s2.domainkey.u123456.wl.sendgrid.net
Type: CNAME
Host: em1234.yourdomain.com
Value: u123456.wl.sendgrid.netAdd all three to your DNS exactly as shown. The third CNAME (em####) handles SPF via subdomain alignment.
Back in SendGrid, click Verify. If it fails, wait and retry — CNAME propagation can lag. You can also check propagation manually:
dig CNAME s1._domainkey.yourdomain.comIf you see the expected sendgrid.net value returned, DNS has propagated and SendGrid should verify on the next check.
If you're running your own mail server (Postfix, Exim, or using something like mailcow), you'll need to generate your own DKIM keys and set up OpenDKIM.
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pemChoose a selector name — convention is the year and month (e.g., 2026-05) so you can rotate keys on a schedule.
Format your public key for DNS. Strip the header/footer lines and concatenate into one string:
Type: TXT
Host: 2026-05._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HEREThe v=DKIM1 tag is required. The k=rsa specifies the key type. The p= value is your base64-encoded public key (without PEM headers).
In your OpenDKIM config (/etc/opendkim.conf):
Domain yourdomain.com
KeyFile /etc/opendkim/keys/dkim_private.pem
Selector 2026-05
Socket inet:12301@localhostThen wire OpenDKIM into Postfix's milter configuration. The exact steps depend on your server setup — see the OpenDKIM documentation for your distribution.
Don't assume DKIM is working just because the DNS record is live. Always test:
Send an email from your domain to the unique address that mail-tester.com generates. It gives you a full authentication report including DKIM pass/fail, SPF status, and DMARC alignment — and shows you the actual headers so you can see what's being signed.
Google provides a free MX lookup tool that checks DNS records including DKIM. Enter your domain and selector to confirm the record is properly formatted and reachable.
Send yourself a test email and inspect the raw headers. In Gmail: click the three-dot menu → Show original. Look for:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=pm; ...And further down in the authentication results:
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com header.s=pm header.b=XXXXXXXXdkim=pass is what you're looking for. Anything else means something is misconfigured.
The most common mistake. Your DNS provider might want pm._domainkey or pm._domainkey.yourdomain.com — they vary. If verification fails, try the other format. Also double-check you're not accidentally adding .yourdomain.com.yourdomain.com (some panels auto-append the root domain).
When pasting long DKIM values, line breaks can sneak in. The DNS value should be a single unbroken string. If your DNS panel shows it split across multiple lines, make sure it's treating that as one value, not multiple records.
If you have two TXT records with the same host (pm._domainkey.yourdomain.com), DKIM breaks. Only one record per selector is allowed. Delete any duplicate and re-verify.
Even with perfect DKIM, sending cold email from info@gmail.com or a fresh domain with no history is a deliverability red flag. DKIM is one piece of the puzzle — domain age, warmup, and sending volume matter too. See our guide on deliverability tools for the full picture.
DMARC requires your "From" domain to align with the domain in your DKIM signature. If you're sending from hello@mail.yourdomain.com but signing with yourdomain.com, check whether your DMARC policy requires strict or relaxed alignment. Relaxed alignment (the default) allows subdomain matches; strict requires exact matches.
If your DMARC policy is set to p=reject and DKIM fails, your emails are silently dropped. Start with p=none while debugging, then tighten once authentication is confirmed passing.
DKIM doesn't operate in isolation. Here's the minimum authentication stack for cold email in 2026:
none), quarantine to spam (quarantine), or reject outright (reject). Also enables reporting so you can see who's sending on your behalf.A minimal DMARC record looks like:
Type: TXT
Host: _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comStart with p=none to collect reports without affecting delivery. Once you've confirmed DKIM and SPF are passing consistently, move to p=quarantine, then p=reject.
Once DKIM is set up, run through this checklist before your first campaign:
dig TXT pm._domainkey.yourdomain.com)dkim=pass in Authentication-Resultsp=none) to start collecting dataDKIM is one of those things that takes 30 minutes to set up and saves you weeks of deliverability headaches. Get it done before your first campaign — not after you're already in spam folders trying to figure out why.
For the rest of the deliverability stack, see our guide to the best cold email tools in 2026 and how OutboundHQ compares to Instantly on deliverability features.
Bot-filtered open rates, real-time Postmark webhooks, and per-domain bounce tracking. Free to start — no credit card required.
Start free →