> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mail.ugmail.co/llms.txt
> Use this file to discover all available pages before exploring further.

# DKIM Signing in UGMail: Authenticate Outbound Email

> DKIM authenticates your outbound email with a cryptographic signature, improving deliverability and preventing spoofing. UGMail manages keys per domain.

DKIM (DomainKeys Identified Mail) is a cryptographic email authentication standard that proves a message was genuinely sent by your domain and has not been tampered with in transit. When you enable DKIM for a domain in UGMail, every outbound message is signed with a private key that recipient mail servers can verify against a public key you publish in DNS. Without DKIM, your emails are more likely to be marked as spam or rejected outright — especially by major providers like Gmail, Outlook, and Yahoo.

## Why DKIM Matters

<CardGroup cols={2}>
  <Card title="Improved deliverability" icon="inbox">
    Signed messages pass authentication checks at receiving servers, reducing the chance of landing in spam or being blocked.
  </Card>

  <Card title="Anti-spoofing protection" icon="shield">
    DKIM makes it significantly harder for attackers to forge emails that appear to come from your domain.
  </Card>

  <Card title="Reputation building" icon="chart-line">
    A consistent DKIM signature helps receiving servers build a positive reputation for your sending domain over time.
  </Card>

  <Card title="DMARC compatibility" icon="lock">
    DKIM is a prerequisite for enforcing a DMARC policy. Without it, you cannot fully protect your domain from impersonation.
  </Card>
</CardGroup>

## How UGMail Handles DKIM

UGMail generates a unique RSA key pair for each domain you register. The private key is stored securely on UGMail's infrastructure and used to sign all outbound messages automatically once DKIM is configured. You publish the corresponding public key as a DNS TXT record so that receiving mail servers can look it up and verify the signature.

You never need to generate or manage keys manually — UGMail does this for you. Your only job is to add the provided TXT record to your DNS.

## Enabling DKIM for a Domain

<Steps>
  <Step title="Create your domain in UGMail">
    If you haven't already, register your domain by calling `POST /api/principal` with `type: "domain"`. See [Understanding Domains](/concepts/domains) for full details.

    ```bash theme={null}
    curl -X POST "https://mail.ugmail.co/api/principal" \
      -H "Authorization: Bearer YOUR_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{"name": "example.com", "type": "domain"}'
    ```
  </Step>

  <Step title="Retrieve your DNS records">
    Call `GET /api/dns/{domain}` to get the DKIM TXT record that UGMail has generated for your domain.

    ```bash theme={null}
    curl "https://mail.ugmail.co/api/dns/example.com" \
      -H "Authorization: Bearer YOUR_TOKEN"
    ```

    The response includes a DKIM record entry like this:

    ```json theme={null}
    {
      "type": "TXT",
      "host": "selector._domainkey.example.com",
      "value": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ..."
    }
    ```
  </Step>

  <Step title="Add the DKIM record to your DNS provider">
    Log in to your domain registrar or DNS management console and create a new TXT record using the exact `host` and `value` from the API response.

    | Field           | Value                                 |
    | --------------- | ------------------------------------- |
    | **Record type** | TXT                                   |
    | **Host / Name** | `selector._domainkey.example.com`     |
    | **Value**       | `v=DKIM1; k=rsa; p=<your-public-key>` |
    | **TTL**         | 3600 (or your provider's default)     |

    Save the record and allow time for DNS propagation.
  </Step>

  <Step title="Verify the record is live">
    Once propagation is complete, confirm the record is resolvable. You can use a DNS lookup tool or check directly from the command line:

    ```bash theme={null}
    dig TXT selector._domainkey.example.com
    ```

    If the record is live, you will see the `v=DKIM1; k=rsa; p=...` value in the response.
  </Step>
</Steps>

<Note>
  DNS records can take up to 48 hours to propagate worldwide, although changes typically appear within minutes to a few hours. Outbound mail sent before the record propagates will not carry a verified DKIM signature.
</Note>

## Understanding the DKIM Record Format

The DKIM TXT record is published at a subdomain with the format:

```
<selector>._domainkey.<your-domain>
```

Where `<selector>` is a short label (chosen by UGMail) that identifies which key was used to sign the message. This allows multiple DKIM keys to coexist on the same domain — useful during key rotation.

The value of the record follows the DKIM standard:

| Tag       | Meaning                           |
| --------- | --------------------------------- |
| `v=DKIM1` | DKIM version — always `DKIM1`     |
| `k=rsa`   | Key type — RSA is the standard    |
| `p=<key>` | The Base64-encoded RSA public key |

A full example record looks like this:

```text theme={null}
selector._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQEAZ..."
```

## DKIM, SPF, and DMARC Together

DKIM works best as part of a layered email authentication strategy. UGMail provides the DNS records for both DKIM and SPF via `GET /api/dns/{domain}`. Once those are in place, you can layer on a DMARC policy at your DNS provider to instruct receiving servers on what to do when authentication fails.

| Standard  | Purpose                                                         | Managed by                         |
| --------- | --------------------------------------------------------------- | ---------------------------------- |
| **SPF**   | Declares which servers are allowed to send mail for your domain | UGMail (record provided via API)   |
| **DKIM**  | Cryptographically signs outbound messages                       | UGMail (keys generated per domain) |
| **DMARC** | Enforces policy when SPF or DKIM fail; enables reporting        | You (added at your DNS provider)   |

A minimal DMARC record to get started with a monitoring-only policy looks like:

```text theme={null}
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"
```

Move to `p=quarantine` or `p=reject` once you are confident your SPF and DKIM records are correct.

## Verifying Your DKIM Signature

After DNS propagates, send a test message from your domain and verify that the DKIM signature is valid.

<Tip>
  Use [mail-tester.com](https://www.mail-tester.com) or [MXToolbox's Email Header Analyzer](https://mxtoolbox.com/EmailHeaders.aspx) to check your DKIM signature and get a full authentication report. These tools show whether DKIM, SPF, and DMARC all pass for a given message.
</Tip>

A passing DKIM check in a message header looks like this:

```text theme={null}
Authentication-Results: mx.example.net;
  dkim=pass header.i=@example.com header.s=selector header.b=AbCdEfGh
```

## Next Steps

<CardGroup cols={2}>
  <Card title="Domains" icon="globe" href="/concepts/domains">
    Review the full domain setup flow including MX and SPF records.
  </Card>

  <Card title="Mailboxes" icon="inbox" href="/concepts/mailboxes">
    Start provisioning email accounts under your authenticated domain.
  </Card>
</CardGroup>
