Skip to main content
DKIM (DomainKeys Identified Mail) is a cryptographic email authentication standard that proves a message was genuinely sent by your domain and has not been tampered with in transit. When you enable DKIM for a domain in UGMail, every outbound message is signed with a private key that recipient mail servers can verify against a public key you publish in DNS. Without DKIM, your emails are more likely to be marked as spam or rejected outright — especially by major providers like Gmail, Outlook, and Yahoo.

Why DKIM Matters

Improved deliverability

Signed messages pass authentication checks at receiving servers, reducing the chance of landing in spam or being blocked.

Anti-spoofing protection

DKIM makes it significantly harder for attackers to forge emails that appear to come from your domain.

Reputation building

A consistent DKIM signature helps receiving servers build a positive reputation for your sending domain over time.

DMARC compatibility

DKIM is a prerequisite for enforcing a DMARC policy. Without it, you cannot fully protect your domain from impersonation.

How UGMail Handles DKIM

UGMail generates a unique RSA key pair for each domain you register. The private key is stored securely on UGMail’s infrastructure and used to sign all outbound messages automatically once DKIM is configured. You publish the corresponding public key as a DNS TXT record so that receiving mail servers can look it up and verify the signature. You never need to generate or manage keys manually — UGMail does this for you. Your only job is to add the provided TXT record to your DNS.

Enabling DKIM for a Domain

1

Create your domain in UGMail

If you haven’t already, register your domain by calling POST /api/principal with type: "domain". See Understanding Domains for full details.
2

Retrieve your DNS records

Call GET /api/dns/{domain} to get the DKIM TXT record that UGMail has generated for your domain.
The response includes a DKIM record entry like this:
3

Add the DKIM record to your DNS provider

Log in to your domain registrar or DNS management console and create a new TXT record using the exact host and value from the API response.Save the record and allow time for DNS propagation.
4

Verify the record is live

Once propagation is complete, confirm the record is resolvable. You can use a DNS lookup tool or check directly from the command line:
If the record is live, you will see the v=DKIM1; k=rsa; p=... value in the response.
DNS records can take up to 48 hours to propagate worldwide, although changes typically appear within minutes to a few hours. Outbound mail sent before the record propagates will not carry a verified DKIM signature.

Understanding the DKIM Record Format

The DKIM TXT record is published at a subdomain with the format:
Where <selector> is a short label (chosen by UGMail) that identifies which key was used to sign the message. This allows multiple DKIM keys to coexist on the same domain — useful during key rotation. The value of the record follows the DKIM standard: A full example record looks like this:

DKIM, SPF, and DMARC Together

DKIM works best as part of a layered email authentication strategy. UGMail provides the DNS records for both DKIM and SPF via GET /api/dns/{domain}. Once those are in place, you can layer on a DMARC policy at your DNS provider to instruct receiving servers on what to do when authentication fails. A minimal DMARC record to get started with a monitoring-only policy looks like:
Move to p=quarantine or p=reject once you are confident your SPF and DKIM records are correct.

Verifying Your DKIM Signature

After DNS propagates, send a test message from your domain and verify that the DKIM signature is valid.
Use mail-tester.com or MXToolbox’s Email Header Analyzer to check your DKIM signature and get a full authentication report. These tools show whether DKIM, SPF, and DMARC all pass for a given message.
A passing DKIM check in a message header looks like this:

Next Steps

Domains

Review the full domain setup flow including MX and SPF records.

Mailboxes

Start provisioning email accounts under your authenticated domain.
Last modified on July 17, 2026