How to Set Up DKIM and Finally Get Your Cold Emails Into Inboxes

If you’re setting up a new domain for cold email, and your email looks something like outreach.yourcompany.com, the first thing you need to do is authenticate it properly. 

Without that, inbox providers like Gmail and Outlook will likely treat your emails as suspicious. And with filters getting stricter in 2024, even low-volume senders are seeing legitimate emails land in spam.

Setting up DKIM is how you prove your emails are real, not spoofed or tampered with.

If it’s missing, you might already be seeing:

❌ “Missing DKIM” errors in your warm-up tool 

❌ Gmail headers showing dkim=fail

❌ Campaigns underperforming with low opens, high spam placements, and no replies

In this guide, we’ll walk you through how to set up DKIM step by step, depending on your setup:

• If you’re using Google Workspace, we’ll show you how to generate and activate DKIM in the admin console

• If you’re on Microsoft 365, we’ll explain how to configure it in the Defender portal

• If you use a custom domain on GoDaddy or Cloudflare, we’ll show you how to add the right records manually, even if you’ve never touched DNS before

Quick Start: Choose Your DKIM Path

• Using Gmail (Google Workspace)? Set it up in the Google Admin Console
  
• Using Outlook (Microsoft 365)? Set it up in Microsoft Defender + DNS
  
• Using a custom domain with tools like Instantly, Smartlead, or ActiveCampaign? Add DKIM records in your DNS provider (like GoDaddy)

How DKIM Works

Every time you send an email, DKIM adds an invisible digital signature to it. That signature proves two things:

1. The email really came from your domain
   
2. The content wasn’t changed after you hit send

Here’s how it works in simple terms:

• Your email system uses a private key to “sign” each email behind the scenes.
  
• That signature is attached to the email header (you don’t see it, but email servers do).
  
• When the email is received, the mail server looks up your public key, which is stored in your domain’s DNS records.
  
• It uses the public key to verify the signature.
  
  
  • If the match checks out: The email passes DKIM
    
  • If it doesn’t: It may get flagged as suspicious
    

You’ll often see this show up in your email headers as something like:
dkim=pass header.i=@yourcompany.com

If that line is missing or says dkim=fail, your emails are more likely to hit spam or get blocked entirely.

Why DKIM matters now more than ever

In 2024, Gmail and Yahoo began enforcing strict requirements for anyone sending more than 5,000 emails a day, including cold outreach and warm-up traffic. DKIM is no longer optional if you want your emails to land.

Even if you're sending fewer than 5,000 emails, failing DKIM checks still puts you on the fast track to spam. That’s why deliverability tools like MailReach check for a valid DKIM record.

If you’re seeing a “Missing DKIM” error in MailReach, it means your emails aren’t signed and inboxes like Gmail can’t verify they’re really from you.

Until that’s fixed, your outreach is either invisible or flagged as untrustworthy. DKIM is one of the first and most important steps in being seen.

Before You Set Up DKIM: What You’ll Need

1. Access to your domain’s DNS settings

You’ll need to log into your DNS provider like GoDaddy, Cloudflare, or Namecheap to add a TXT or CNAME record. If you don’t have access, get it from whoever manages your domain.

2. Access to your email sending platform

DKIM keys are generated inside the platform that sends your emails, Google Workspace, Microsoft 365, Zoho, or Mailgun. 

That platform must be set to sign your emails before you add the DNS record.

3. Clarity on who’s sending emails from your domain

Cold email may go through tools like Instantly, Smartlead, or Lemlist. Marketing emails may come from Mailchimp or Brevo.

Transactional emails might be routed via SendGrid, Postmark, or Amazon SES.

Each one usually needs its own DKIM record with a unique selector. If you’re using multiple tools, you’ll be adding multiple records.

4. A way to test if it’s working

Don’t just assume it’s working after publishing the record. You’ll want to verify that emails are actually being signed.

Use MailReach’s free DKIM Checker to do this after you finish setting up. We cover how to do this later in the article (scroll to the bottom). 

How to Set Up DKIM

Setting up DKIM differs depending on your email provider. Below are the most common platforms. Pick the one you use and follow the exact steps. 

Set Up DKIM in Google Workspace (Gmail)

1. Log in to the Google Admin Console using a super admin account. This is the main admin account used to set up Google Workspace for your domain. If you don’t have access to that, you’ll need to ask your IT admin or domain manager..

Once you're in, go to: Apps → Google Workspace → Gmail → Authenticate Email
Here, you’ll see a list of domains connected to your account. Select the domain you use for sending emails (like yourcompany.com). If DKIM isn’t set up yet, you’ll see a button that says “Generate new record.” Click that.

 2. You’ll now be asked to choose two things:

• A selector name (just use google, the default. There’s no need to customize it unless you have a specific reason)
• A key length (choose 2048-bit, which is more secure and recommended by Google)
  
  

Click Generate. Google will then show you two important pieces of information:

• A DNS Hostname (e.g., google._domainkey.yourcompany.com)
  
  
• A TXT record value — a very long string that begins with v=DKIM1; k=rsa; p=...This is your public DKIM key, and now you need to publish it so mail servers can find it.

3. Open your DNS provider’s dashboard. This is wherever your domain is hosted. Common ones are GoDaddy, Cloudflare, Namecheap, or Google Domains. You’re going to add a TXT record there, which might sound intimidating, but it’s just a copy-paste task.

4. In your DNS dashboard, click “Add new record”, and choose:

• Type: TXT
  
• Name / Host: google._domainkey (don’t include your full domain unless your provider requires it — many auto-fill this part)
  
• Value: paste the full key string that Google gave you
  

Save the record. DNS changes typically propagate within 5–30 minutes, but in rare cases may take up to 24 hours.

5. Now, go back to the Google Admin Console and hit “Start authentication” . This tells Google to start signing all your outgoing emails with that DKIM key. If you see an error, it’s probably because the DNS record hasn’t propagated yet. Wait 10–30 minutes and try again.

6. Once authentication starts, Google will show the status as “Authenticating email with DKIM.” That means it’s live.

7. To confirm everything is working, send a test email from your domain to a Gmail account (like your personal one). Open the email, click the three dots on the top right, and choose “Show original.” Scroll down and look for this line:

dkim=pass header.i=@yourcompany.com

If you see that, you’re all set. Your domain is now DKIM-protected, and your emails are more likely to land in inboxes, not spam.

You only need to do this once per domain, and you're done. DKIM doesn’t change often, but we recommend running a quick email spam test weekly or after DNS changes. This helps catch accidental issues before they affect deliverability.

✅ Set Up DKIM in Microsoft 365 (Outlook / Office 365)

If your business email runs on Microsoft 365 (e.g., Outlook), your messages by default get signed with Microsoft’s shared DKIM key tied to onmicrosoft.com, which isn't ideal, especially if you’re doing cold outreach. You want to use your own domain’s DKIM so that your messages look legitimate and trusted, especially to Gmail and other spam filters.

1. Start by logging into the Microsoft 365 Defender portal as an administrator:
   
   
2. Go to https://security.microsoft.com → then navigate to:
   Email & Collaboration → Policies & Rules → Threat Policies → DKIM
   
   
3. Here, you’ll see a list of your email domains. Find the domain you send emails from (like yourcompany.com), and click on it.
   
   
4. If DKIM hasn’t been set up yet, you’ll see an option to “Create DKIM keys.” Click that. Microsoft will now generate two DNS records that you need to add to your domain’s DNS settings. These are CNAME records, not TXT — and you’ll need to add both.
   
   
5. Microsoft will show you the values to use. For each one, you’ll get:

• A Name / Host like selector1._domainkey.yourcompany.com
  
  
• A Points to / Value like: selector1-yourcompany-com._domainkey.<region>.onmicrosoft.com
  
  

6. Copy both of these records: one for selector1 and one for selector2.
7. Next, go to your DNS provider (e.g. GoDaddy, Cloudflare, Namecheap—wherever your domain is managed).
8. Add two new CNAME records, using the exact names and values from Microsoft:
   
   

• Type: CNAME
  
  
• Name: selector1._domainkey
  
  
• Value: selector1-yourcompany-com._domainkey.<region>.onmicrosoft.com
  

• Type: CNAME
  
  
• Name: selector2._domainkey
  
  
• Value: selector2-yourcompany-com._domainkey.<region>.onmicrosoft.com
  Save both records. Make sure to replace <region> with what Microsoft shows (like europe or us), and match your actual domain. Once added, give the records some time to propagate—5 minutes to a few hours depending on your DNS provider.
  
  

9. Once the records are saved and have had a little time to propagate, go back to the  Microsoft Defender portal where you created the keys.
10. There, you’ll now see a toggle that says something like “Sign messages for this domain with DKIM signatures.” Fip the toggle to On.

If everything is set up correctly, Microsoft will confirm that DKIM is now active. From that point onward, every email sent from your domain via Microsoft 365 will be signed using your domain’s own DKIM keys.

To double-check that everything is working:

• Send a test email to a Gmail or Yahoo inbox
  
  
• Open the message → click the three-dot menu → “Show original”
  
  
• Look for this line:
  dkim=pass header.i=@yourcompany.com
  
  

If you see dkim=pass, congratulations, it’s all working.

Once it’s done, you won’t have to touch it again unless you change your DNS or want to rotate keys for security. Microsoft will handle key rotation behind the scenes automatically using those two selectors (selector1 and selector2), so you’re covered.

Why this matters: Without this setup, your emails may get flagged as suspicious, especially with Gmail’s new bulk sender rules. DKIM helps you build a strong sender reputation, critical if you’re running cold outreach or warming inboxes using email warmup tools like MailReach.

Set Up DKIM with Other Email Providers (GoDaddy, Zoho, Mailchimp)

Even if you don’t use Google Workspace or Microsoft 365 to send emails, you’ll need to setup DKIM

Most providers including GoDaddy email hosting, Zoho Mail, Mailchimp, SendGrid, or Brevo, generate a DKIM that you need to copy and paste into your domain settings.

We’ll walk you through three of the most common non-Google/Microsoft setups:

GoDaddy Email Hosting (cPanel or GoDaddy Webmail)

If you bought your domain and email through GoDaddy, and you use their built-in email service (Webmail or cPanel-based), here’s what to do:

1. Log in to your GoDaddy account and open your cPanel dashboard (for cPanel plans) or Email & Office dashboard (for GoDaddy Webmail).
   
2. In cPanel, look for a section called Email Deliverability or Email Authentication.
   This is where you’ll find DKIM settings if they exist.
   
   
   • If DKIM is already enabled, cPanel will show the existing TXT record and whether it’s working.
     
   • If it’s not, click on “Enable DKIM” or “Repair”.
     
3. If GoDaddy provides the DKIM record manually:
   
   • Copy the Name / Host (something like default._domainkey.yourdomain.com)
     
   • Copy the TXT Value (starts with v=DKIM1; k=rsa; p=...)
     
4. Go to your GoDaddy DNS settings (My Products → Domain → Manage DNS).
   
   • Click Add → Choose TXT
     
   • Host: the selector + _domainkey (e.g. default._domainkey)
     
   • Value: paste the long key string from step 3
     
   • Save and wait. DNS usually updates within minutes but can take up to 48 hours

Zoho Mail

Zoho Mail is popular with startups and small businesses. Here’s how to set up DKIM in Zoho:

1. Go to the Zoho Mail Admin Console
   
2. Navigate to:
   Mail Administration > Domains > [your domain] > DKIM
   
3. Click “Add Selector” and choose a selector name — something like zoho or default works fine.
   
4. Zoho will then show you the DNS record to publish:
   
   • Host: zoho._domainkey.yourdomain.com (or include full domain if required)
     
   • Type: TXT
     
   • Value: a long string that starts with v=DKIM1; p=...
     
5. Go to your DNS provider, add a TXT record with:
   
   
   • Host: zoho._domainkey
     
   • Value: paste Zoho’s key
     
6. Back in Zoho Admin, click “Verify” once the record has propagated.
   

✅ Once verified, Zoho will begin signing all outgoing emails with DKIM.

Email Marketing & Transactional Platforms (Mailchimp, SendGrid, Brevo, etc.)

These platforms typically give you multiple DNS records to publish for DKIM (and SPF or DMARC) records. The most common format involves two CNAME records.:

1. In your email tool's dashboard, go to the Domain Authentication or Sender Verification section.
   (In Mailchimp: Website > Domains > Authenticate)
   
   
2. Add your domain, and the tool will generate the records needed.
   
   • Typically, this includes 1–2 CNAME records for DKIM
     
   • Sometimes it includes a TXT record for SPF as well
     
3. Copy each record and add them to your domain’s DNS settings.
   
   Example (Mailchimp)
   
   
   • CNAME 1: k1._domainkey.yourdomain.com → dkim.mailchimp.com
     
   • CNAME 2: k2._domainkey.yourdomain.com → dkim2.mailchimp.com
     
4. Once added, go back to the platform and click Verify or Authenticate
   

• For SendGrid, Brevo, and most other platforms, setup is similar: they show host/value pairs, often mte1._domainkey / dkim1, etc., which you must enter as CNAMEs on your DNS panel

SPF vs DKIM vs DMARC: What’s the Difference?

These three acronyms often come up together, and they work best as a team. Here’s how they break down:

Do you need all three?

Yes, ideally. But DKIM is often the most important when it comes to deliverability and domain trust, especially for Gmail and Outlook.

If you're starting from scratch, start with DKIM and SPF. Then add DMARC when you're ready to monitor and enforce policy.

Don’t Let a Perfect Setup End in Spam   

At this point, you’ve done the hard parts: set up DKIM, authenticated your domain, and started warming your inbox. That’s the foundation.

But consistent deliverability is an ongoing process.

What keeps it strong?

• Stable sending patterns (no sudden volume jumps)

• Consistent engagement signals (opens, replies, low spam)

• Clean sender behavior (no bad lists or blacklisted links)

MailReach monitors all of this behind the scenes. If your inbox reputation starts to slip, you’ll know what’s wrong before it tanks your campaigns. 

Use MailReach to stay in the inbox,  not just get there once.

Sign up for MailReach now.