AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Build DKIM DNS TXT records for email signing with custom selector, key type, and flags.
The domain that sends email (e.g., your company domain).
A unique name for this key (e.g., google, sendgrid, default).
RSA key length. 2048-bit is the standard for most providers.
RSA (k=rsa)
RSA SHA-256 is the most widely supported DKIM key type.
Add this as a TXT record in your DNS zone with the record name <selector>._domainkey.<domain>.
DomainKeys Identified Mail (DKIM) is an email authentication method that allows the sender to cryptographically sign email messages. The signature is verified by the receiving server using a public key published in the sender's DNS as a TXT record. DKIM helps ensure email integrity and authenticity, preventing tampering and spoofing.
A DKIM DNS record contains the version tag (v=DKIM1), the hash algorithm (h=sha256), the key type (k=rsa), and the public key (p=...). The record is published at a specific DNS name constructed from the selector and domain: <selector>._domainkey.<domain>. Each email service or sending infrastructure can use a different selector, allowing key rotation without disrupting service.
Common use cases include authenticating email sent through Google Workspace, Microsoft 365, SendGrid, Mailgun, Amazon SES, and other email service providers. DKIM is typically used alongside SPF and DMARC for comprehensive email authentication.
example.com).google (for Google Workspace), sendgrid, mailgun, or default. Your email provider will tell you which selector to use.<selector>._domainkey.<domain>. Then enable DKIM signing in your email server or provider settings.A DKIM selector is a unique identifier that allows multiple DKIM keys to be published for the same domain. This enables key rotation — you can publish a new key with a new selector before switching to it, avoiding email authentication failures during the transition. Email service providers often provide a specific selector name (e.g., google for Google Workspace).
Use OpenSSL: openssl genrsa -out dkim_private.pem 2048 to generate the private key, then openssl rsa -in dkim_private.pem -pubout -outform der 2>/dev/null | openssl base64 -A to get the Base64 public key. Alternatively, most email providers (Google Workspace, Microsoft 365, SendGrid) generate the key pair automatically in their admin console.
SPF checks the sending server IP is authorized. DKIM verifies the message was not tampered with using a cryptographic signature. DMARC tells receiving servers what to do if SPF or DKIM fails. DMARC requires either SPF or DKIM (preferably both) to pass for email to be authenticated. All three are needed for optimal email deliverability and anti-spoofing protection.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026