How to Set Up DKIM in Cloudflare DNS: The Complete 2026 Guide
You just added your domain to Cloudflare, pointed your MX records at Google Workspace or Microsoft 365, and assumed email authentication was handled. It's not. Cloudflare DKIM configuration doesn't happen automatically, and the DNS panel has a few quirks that'll silently break your setup if you don't know where to look.
Why DKIM Matters
Phishing accounts for over 80% of cyberattacks, and email scams cost businesses roughly $50 billion a year. DKIM (DomainKeys Identified Mail) is one of three protocols - alongside SPF and DMARC - that prove your emails are legitimate and haven't been tampered with in transit.
Without DKIM, receiving mail servers have no way to verify that a message claiming to be from your domain was actually sent by your infrastructure. That's how spoofing works. And up to 80% of domains misconfigure DMARC, which means their policy won't reliably enforce spoofing protection unless SPF or DKIM is set up correctly. If you're running outbound campaigns, transactional emails, or even just internal comms on a custom domain, DKIM isn't optional.
What You Need
The entire process boils down to three steps:
- Generate your DKIM key in your email provider
- Add the DNS record in Cloudflare's dashboard
- Verify the record is resolving and emails pass DKIM checks (if you want a deeper walkthrough, see verify DKIM is working)
One critical clarification: Cloudflare doesn't generate DKIM keys. It's a DNS host, not an email provider. Your ESP creates the key pair; Cloudflare just publishes the public half.
What Is a DKIM Record?
A DKIM record is a DNS TXT record that stores the public key used to verify your email's cryptographic signature. When you send an email, your provider signs it with a private key. The receiving server looks up the corresponding public key in DNS, checks the signature, and confirms the message hasn't been altered.
The record lives at a specific hostname following this format:
[selector]._domainkey.[yourdomain.com]
The selector is a label your email provider assigns - it tells receiving servers which key to look up. Google Workspace commonly uses google as its selector; Microsoft 365 uses selector1 and selector2.
Some providers publish DKIM via CNAME records that point to their own DNS infrastructure. The official RFC requires TXT records, but CNAMEs work because they ultimately resolve to a TXT. Microsoft 365 is one of the most common CNAME-based setups you'll encounter.
When you inspect an email's DKIM signature header, these are the fields that matter:
| Field | Meaning |
|---|---|
d= |
Signing domain |
s= |
Selector name |
h= |
Headers that were signed |
bh= |
Body hash (integrity check) |
b= |
The cryptographic signature |
Generate Your DKIM Key
Your email provider creates the key pair. Cloudflare just hosts the public side.
Google Workspace
Head to Admin Console -> Apps -> Google Workspace -> Gmail -> Authenticate email. Select your domain and click "Generate new record." Choose 2048-bit. 1024-bit is deprecated and shouldn't be used for new setups.
Google will give you a TXT record value starting with v=DKIM1;. The selector is commonly google, so your DNS record name will be google._domainkey. Copy the full key value.
After publishing, verify with:
dig TXT google._domainkey.yourdomain.com +short
Microsoft 365
Microsoft takes a different approach: two CNAME records instead of TXT. The selectors are selector1._domainkey and selector2._domainkey, each pointing to Microsoft's infrastructure.
A typical target format looks like this:
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Replace dots in your domain with dashes, and replace yourtenant with your Microsoft 365 tenant name. Only one selector is active at a time - Microsoft handles rotation between the two automatically. You configure this in the Defender portal under Email authentication -> DKIM.
Here's the thing most admins miss: DKIM signing for custom domains in Microsoft 365 doesn't happen by default. You have to explicitly enable it, or your outbound mail won't carry a DKIM signature aligned with your domain. In our experience, this catches more people than any DNS misconfiguration.
Other ESPs
Most other providers use standard TXT records. Postmark gives you a TXT DKIM record in its DNS settings. Mailchimp uses CNAME-based DKIM. SendGrid uses multiple CNAME records - commonly s1._domainkey and s2._domainkey, plus an additional record depending on your setup. Brevo provides DKIM DNS records in its domain-authentication settings, with the record type varying by configuration.
Always check your ESP's documentation for the exact selector and record type. A wrong selector means DKIM silently fails.
Add the Record in Cloudflare DNS
Log into your Cloudflare dashboard, select your domain, and go to DNS -> Records -> Add Record.
- Type: Select
TXT- orCNAMEif your provider requires it, as Microsoft 365 and many ESPs do - Name: Enter only the selector portion, like
google._domainkey. Cloudflare automatically appends your domain, so don't paste the full hostname or you'll end up withgoogle._domainkey.yourdomain.com.yourdomain.com - Content: Paste the full key value your ESP provided. For TXT records, this is the
v=DKIM1; k=rsa; p=MIIBIj...string. Don't add quotes around it - TTL: Set to Auto. That's typically 300 seconds in Cloudflare, which is ideal during initial setup - faster propagation means faster corrections if something's wrong
- Proxy status: If you're adding a CNAME record, set it to DNS-only (grey cloud). Proxied CNAMEs will break DKIM. TXT records aren't proxied by Cloudflare, so this only applies to CNAME setups.
Click Save. DNS propagation usually completes within an hour to a few hours, though it can stretch to 24-48 hours with aggressive caching upstream.
Setting up DKIM right is step one. Step two is making sure you're sending to real, verified addresses. Prospeo's 5-step email verification - with catch-all handling, spam-trap removal, and honeypot filtering - keeps your bounce rate under 4% so your freshly authenticated domain stays clean.
Don't burn your DKIM-authenticated domain on bad data.
Cloudflare-Specific Pitfalls
Cloudflare's DNS works great, but it has behaviors that catch people off guard with DKIM specifically.
Orange cloud on CNAMEs breaks DKIM. If you're using CNAME-based DKIM for Microsoft 365 or any other ESP, the record must be set to DNS-only. When proxied, DNS lookups hit Cloudflare's edge servers instead of resolving to your ESP's DKIM key. Cloudflare's own docs explicitly state that CNAME records used for third-party verification shouldn't be proxied. We've seen this exact mistake break DKIM for Microsoft 365 setups dozens of times - it's the single most common failure we encounter.
Double quotes in the TXT UI are cosmetic. Cloudflare's dashboard displays TXT record values wrapped in double quotes. They're a display convention - the actual DNS response doesn't include them. If a checker is failing, the quotes aren't the problem.
Auto-appending the domain name. Paste google._domainkey.yourdomain.com into the Name field and Cloudflare appends your domain again, creating google._domainkey.yourdomain.com.yourdomain.com. Only enter the subdomain portion.
Long TXT records and 2048-bit keys. A 2048-bit DKIM key produces a TXT value exceeding the 255-character DNS string limit for a single string. DNS supports splitting TXT into multiple strings that concatenate, and Cloudflare handles the splitting automatically - just paste the full value as one continuous string.
Still running 1024-bit? Upgrade now. 1024-bit keys are deprecated for modern deliverability and security.
Verify Your DKIM Record
Skip standalone DKIM checker tools. Different validators give conflicting results - a known frustration on r/mxroute that wastes hours of debugging time. Send a real email and inspect the headers. It's faster and more reliable.
1. Send a test email to mail-tester.com. This is the most reliable end-to-end proof. Go to mail-tester.com, grab the temporary address, send a real email from your domain, and check the results. If DKIM passes here, you're done. Everything else is secondary.
2. Check Gmail's "Show original" header. Send an email to a Gmail account, open it, click the three dots -> Show original. Look for the Authentication-Results header:
dkim=pass header.s=google header.d=yourdomain.com
The header.s= confirms which selector was used. The header.d= confirms the signing domain. If both match your setup and the result is pass, DKIM is working.
3. DNS lookup as a sanity check. Run this from your terminal:
dig TXT google._domainkey.yourdomain.com +short
Or use MXToolbox's DKIM lookup. If the public key appears in the response, the DNS record is published correctly. But a published record doesn't guarantee your ESP is actually signing with the matching private key - that's why the send-and-check method wins.
In our testing, mail-tester.com catches issues that standalone DNS checkers miss entirely. If mail-tester passes but a standalone checker says "not found," the checker is likely querying the wrong hostname. DKIM records live at selector._domainkey.yourdomain.com, not at the domain root.
Troubleshooting DKIM Failures
When DKIM fails, the error message in the Authentication-Results header tells you what went wrong.
| Error | Cause | Fix |
|---|---|---|
| Selector not found | Wrong selector or missing _domainkey |
Confirm exact selector from ESP |
| Key not found | DNS propagation or proxied CNAME | Wait 24-48h; check grey cloud |
| Body hash mismatch | Message modified in transit | Check forwarders, disclaimers |
| Signature verification failed | Key mismatch or truncated TXT | Re-paste the full key value |
temperror |
DNS timeout during lookup | Check TTL; wait for propagation |
permerror |
Record syntax error | Check for whitespace, smart quotes |
Body hash mismatch happens when something between your server and the recipient alters the message body - email disclaimers appended by a gateway, forwarding services, or security appliances that rewrite content. This isn't a Cloudflare problem; it's a transit problem.
The permerror result usually means your TXT record has a formatting issue. Smart quotes copied from a Word document, invisible line breaks, or trailing whitespace can all corrupt the record. Re-paste the key from your ESP's dashboard using a plain-text editor. Let's be honest - we've spent embarrassing amounts of time debugging what turned out to be a stray invisible character.
DKIM Key Rotation
Most organizations set DKIM once and never touch it again. Keys sit unchanged for years with no clear owner between IT, security, and DNS admins. That's a risk. If a private key is ever compromised, every email signed with it can be spoofed until you rotate. Use a selector naming convention that includes a time reference like s2026q1 so you can track age at a glance.
The zero-downtime rotation process:
- Lower your TTL to 300 seconds a day before the rotation
- Publish the new public key at the new selector in Cloudflare DNS
- Switch your ESP's signing configuration to use the new selector
- Retire the old key after confirming DKIM passes with the new selector - give it 48-72 hours
Always use 2048-bit RSA minimum for new keys. If you're on Microsoft 365, rotation is partially built in - Microsoft manages two selectors and can rotate between them, though you should still verify the process is actually happening.
DKIM, SPF, and DMARC Together
DKIM doesn't work in isolation. SPF, DKIM, and DMARC form a trio: SPF validates the sending server, DKIM validates message integrity, and DMARC ties them together with a policy that tells receiving servers what to do when checks fail.
For DMARC to pass, either SPF or DKIM must pass and align with the domain in the From: header. Alignment can be relaxed - subdomains count - or strict, requiring an exact match. Most setups use relaxed alignment, which works for the majority of use cases (more on this in DMARC alignment).
Authentication is one half of deliverability. The other half is data quality. If you're sending outbound campaigns, tools like Prospeo verify emails in real time with 98% accuracy, so your authenticated emails actually reach real inboxes instead of bouncing and wrecking your sender reputation (see email deliverability and how to improve sender reputation).
FAQ
Does Cloudflare generate DKIM keys?
No. DKIM keys are generated by your email provider - Google Workspace, Microsoft 365, Postmark, or whichever ESP you use. Cloudflare is a DNS host that publishes the public key record but has no role in creating or managing the key pair itself.
Should I use TXT or CNAME for DKIM in Cloudflare?
Use whichever record type your email provider specifies. Microsoft 365 requires CNAMEs; most other providers use TXT. If you're adding a CNAME in Cloudflare, set the proxy status to DNS-only (grey cloud) or DKIM lookups will fail.
How long does DKIM DNS propagation take?
Typically within one to a few hours. Global DNS caching can delay full propagation up to 24-48 hours. Lower your TTL to 300 seconds before making changes to minimize the wait.
Why does my DKIM checker say "not found"?
You're likely querying the wrong hostname. DKIM records live at selector._domainkey.yourdomain.com, not at the domain root. Confirm your exact selector with your email provider, then query that specific hostname using dig or MXToolbox.
Skip this if you don't run outbound - but how do I find verified emails to send to after setting up DKIM?
You just spent time configuring DKIM, SPF, and DMARC to protect your sender reputation. Now protect it at scale. Prospeo delivers 98% email accuracy with a 7-day data refresh cycle - so your outbound hits real inboxes, not spam traps that wreck the domain you just authenticated.
98% accuracy at $0.01 per email. Your domain deserves it.