Email authentication helps protect your domain from being used for spam or phishing and improves the delivery of your legitimate emails. Two of the most important authentication methods are DKIM and DMARC.

This article explains what they are, why they matter, and how to set them up for emails that are hosted with us.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email security feature that proves an email was sent by an authorized sender and wasn’t changed along the way.

How it works

• Your email system adds a digital signature to outgoing emails

• You publish the matching public key in your domain’s DNS as a TXT record.

• Receiving servers fetch the public key, verify the signature in the email header, and confirm the message’s integrity and authenticity.

What DKIM is used for

• Prevents email tampering

• Helps prove emails are really from your domain

• Improves inbox delivery

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on DKIM (and SPF) and tells email providers what to do if an email fails security checks.

What DMARC is used for

• Prevents domain spoofing and phishing

• Protects your brand and users

• Improves email trust and deliverability

• Gives visibility into email activity

Domains are hosted with us - DKIM & DMARC setup

To enable DKIM & DMARC for a domain, open the Domain Manager for that domain, or click on "Domains" in the top menu bar and select the resepective domain. Please note that DKIM & DMARC can only be enabled if email services for that domain are activated.

Because the domain is registered with us, DKIM & DMARC setup and verification are completed automatically. This can take a few minutes. 

When the setup is done and the verification was successful, the DKIM checkbox will be shown as active. 

Externally hosted domains - DKIM & DMARC setup

To enable DKIM & DMARC for a domain, open the Domain Manager for that domain, or click on "Domains" in the top menu bar and select the resepective domain. Please note that DKIM & DMARC can only be enabled if email services for that domain are activated.

Important: You don't need DMARC to set up DKIM, but you do need DKIM to set up DMARC. Our recommendation is to setup both records. 

Because the domain is registered with another provider, you must manually add the DKIM & DMARCS records to that provider’s DNS settings. After enabling the DKIM feature by clicking at the checkbox, an overlay will appear showing the DKIM & DMARC records you need to add. Please note that the DKIM & DMARC records must be created as a type "TXT" record.

To add the DKIM and DMARC records:

1. Log in to your domain provider and open the DNS settings for the relevant domain.

2. Create a new TXT record for DKIM.

3. Copy the Host/Name/Label and Value fields for DKIM from the overlay in our Domain Manager and paste them into the corresponding fields in your provider’s DNS settings.

4. Create another TXT record for DMARC.

5. Copy the Host/Name/Label and Value fields for DMARC from the overlay in our Domain Manager and paste them into the corresponding fields in your provider’s DNS settings.

6. After saving the records, return to the overlay in our Domain Manager. Ideally, you wait 1-2 minutes and then click Verify to check whether DKIM and DMARC have been set up correctly.

Important: DKIM & DMARC will only function once they have been successfully verified. The checkbox will appear as enabled in the Domain Manager only after verification is complete. 

DKIM & DMARC keys are created but verification failed

If you’ve added the DKIM and DMARC records at your domain provider but verification fails, please wait a few minutes and try again. It can take some time for DNS changes to propagate and become available for verification.

If verification still fails, remove the DKIM and DMARC records from your domain provider and set them up again. We recommend checking your provider’s help documentation or contacting their support to see if there are any special requirements for configuring external DKIM and DMARC records. After re-adding the records, wait a few minutes and retry the verification.

If verification continues to fail after you’ve confirmed the records are set up correctly, please contact our support team. Include screenshots from your domain provider showing the complete DNS records, including the full DKIM and DMARC values down to the last character. Even small differences can cause verification to fail.

Please note: if verification fails, the generated DKIM and DMARC keys remain active. This means that if the keys were created but not successfully verified, email delivery issues may occur until the setup is completed correctly. 

If the setup with your domain provider doesn't work, we recommend removing the DKIM keys and restart the whole process. 

Remove DKIM & DMARC keys

To remove the keys, go to the Status column for the respective domain. Click on the icon (a yellow triangle with an exclamation mark) and select Remove existing keys. This will open a confirmation overlay—confirm the deletion to remove the keys.

Once deleted, these keys can no longer be used to verify your emails. If you previously added DKIM and DMARC records using these keys in your domain provider’s DNS settings, make sure to remove them as well. Otherwise, your outgoing emails might encounter delivery issues.

If you want to set up a new set of keys, you can restart the process by clicking the DKIM checkbox again. Before doing so, ensure that any old DKIM and DMARC records have been removed from your DNS settings. Failing to do so may cause problems with your outgoing emails.

What happens when you deactivate DKIM?

If you disable DKIM in the Domain Manager, emails can no longer be authenticated via DKIM. This increases the likelihood that they could be marked as spam or considered untrustworthy by receiving mail servers which could lead to rejection of your emails.

If you decide to disable DKIM, please note that the current DKIM & DMARC keys will be removed from our system and can no longer be used. If you later choose to re-enable DKIM, a new set of keys will be generated and the DKIM & DMARC records needs to be set up and verified again.

If your domain is hosted externally, please ensure that you removed the DKIM & DMARC records from the DNS settings of your domain provider, if you have added them. Otherwise, there might be some issues with your outgoing mails. 

Most Common Mistakes when setting up DKIM

1. Malformed DKIM DNS TXT record

DKIM records must be one long line of text. Frequent errors:

• Line breaks or wrapped lines
• Extra spaces or missing semicolons
• Quotation marks added by DNS editors
• Copy/paste errors that break the key

The keys must be copy and pased correctly, otherwise the DKIM record is invalid.

2. Publishing the record in the wrong DNS zone

Examples:

• Putting the key at example.com instead of p1._domainkey.example.com
• Adding it under a subdomain unintentionally
• Editing DNS in the wrong account/host (common when multiple DNS providers are involved)

3. DKIM not enabled in the mail sending service

Sometimes the DNS is perfect, but:

• DKIM is no longer enabled in the Domain Manager 
• The wrong domain is configured

4. Multiple DKIM records with the same selector

If you accidentally add more than one TXT record for DKIM (e.g. because you created new DKIM keys), validation may fail. 

5. DNS update not complete

It can take minutes to hours (sometimes even up to 48 hours). We recommend waiting a while before trying to verify the records again. 

Become a part of our Community!

Exchange ideas with other web designers about current developments, tips, and tricks and show your favorite sites. Get advice and talk to us about possible features you would like to see on Sitejet. You can join the Sitejetters community here.